1# Changes
2
3Please visit Linkerd's [Release page][gh-releases] for for the latest release
4notes moving forward!
5
6[gh-releases]: https://github.com/linkerd/linkerd2/releases
7
8## edge-24.2.5
9
10* Migrated edge release change notes to use GitHub's automated release notes
11 feature.
12
13## edge-24.2.4
14
15* Updated the ExternalWorkload CRD to v1beta1, renaming the meshTls field to
16 meshTLS ([#12098])
17* Updated the proxy to address some logging and metrics inconsistencies
18 ([#12099])
19
20[#12098]: https://github.com/linkerd/linkerd2/pull/12098
21[#12099]: https://github.com/linkerd/linkerd2/pull/12099
22
23## edge-24.2.3
24
25* Allowed the `MutatingWebhookConfig` timeout value to be configured ([#12028])
26 (thanks @mikebell90)
27* Added a counter for items dropped from destination controller workqueue
28 ([#12079])
29* Fixed a spurious `linkerd check` error when using container images with
30 digests ([#12059])
31* Fixed an issue where inbound policy could be incorrect after certain policy
32 resources are deleted ([#12088])
33
34[#12028]: https://github.com/linkerd/linkerd2/pull/12028
35[#12079]: https://github.com/linkerd/linkerd2/pull/12079
36[#12059]: https://github.com/linkerd/linkerd2/pull/12059
37[#12088]: https://github.com/linkerd/linkerd2/pull/12088
38
39## edge-24.2.2
40
41This release addresses some issues in the destination service that could cause
42it to behave unexpectedly when processing updates.
43
44* Fixed a race condition in the destination service that could cause panics
45 under very specific conditions ([#12022]; fixes [#12010])
46* Changed how updates to a `Server` selector are handled in the destination
47 service. When a `Server` that marks a port as opaque no longer selects a
48 resource, the resource's opaqueness will reverted to default settings
49 ([#12031]; fixes [#11995])
50* Introduced Helm configuration values for liveness and readiness probe
51 timeouts and delays ([#11458]; fixes [#11453]) (thanks @jan-kantert!)
52
53[#12010]: https://github.com/linkerd/linkerd2/issues/12010
54[#12022]: https://github.com/linkerd/linkerd2/pull/12022
55[#11995]: https://github.com/linkerd/linkerd2/issues/11995
56[#12031]: https://github.com/linkerd/linkerd2/pull/12031
57[#11453]: https://github.com/linkerd/linkerd2/issues/11453
58[#11458]: https://github.com/linkerd/linkerd2/pull/11458
59
60## edge-24.2.1
61
62This edge release contains performance and stability improvements to the
63Destination controller, and continues stabilizing support for ExternalWorkloads.
64
65* Reduced the load on the Destination controller by only processing Server
66 updates on workloads affected by the Server ([#12017])
67* Changed how the Destination controller reacts to target clusters (in
68 multicluster pod-to-pod mode) whose Server CRD is outdated: skip them and log
69 an error instead of panicking ([#12008])
70* Improved the leader election of the ExternalWorkloads Endpoints controller to
71 avoid missing events ([#12021])
72* Improved naming of EndpointSlices generated by ExternWorkloads ([#12016])
73* Restriced the number of IPs an ExternalWorkload can have ([#12026])
74
75[#12017]: https://github.com/linkerd/linkerd2/pull/12017
76[#12008]: https://github.com/linkerd/linkerd2/pull/12008
77[#12021]: https://github.com/linkerd/linkerd2/pull/12021
78[#12016]: https://github.com/linkerd/linkerd2/pull/12016
79[#12026]: https://github.com/linkerd/linkerd2/pull/12026
80
81## edge-24.1.3
82
83This release continues support for ExternalWorkload resources throughout the
84control and data planes.
85
86* Updated the proxy to use SPIRE to instrument identity outside of Kubernetes.
87* Updated the Destination controller to return `INVALID_ARGUMENT` status codes
88 properly when a `ServiceProfile` is requested for a service that does not
89 exist. (#11980)
90* An ExternalWorkload EndpointSlice controller has been added to the
91 Destination controller.
92* Added a `createNamespaceMetadataJob` Helm value to control whether the
93 namespace-metadata job is run during install (#11782)
94
95## edge-24.1.2
96
97This edge release incrementally improves support for ExternalWorkload resources
98throughout the control plane.
99
100## edge-24.1.1
101
102This edge release introduces a number of different fixes and improvements. More
103notably, it introduces a new `cni-repair-controller` binary to the CNI plugin
104image. The controller will automatically restart pods that have not received
105their iptables configuration.
106
107* Removed shortnames from Tap API resources to avoid colliding with existing
108 Kubernetes resources ([#11816]; fixes [#11784])
109* Introduced a new ExternalWorkload CRD to support upcoming mesh expansion
110 feature ([#11805])
111* Changed `MeshTLSAuthentication` resource validation to allow SPIFFE URI
112 identities ([#11882])
113* Introduced a new `cni-repair-controller` to the `linkerd-cni` DaemonSet to
114 automatically restart misconfigured pods that are missing iptables rules
115 ([#11699]; fixes [#11073])
116* Fixed a `"duplicate metrics"` warning in the multicluster service-mirror
117 component ([#11875]; fixes [#11839])
118* Added metric labels and weights to `linkerd diagnostics endpoints` json
119 output ([#11889])
120* Changed how `Server` updates are handled in the destination service. The
121 change will ensure that during a cluster resync, consumers won't be
122 overloaded by redundant updates ([#11907])
123* Changed `linkerd install` error output to add a newline when a Kubernetes
124 client cannot be successfully initialised ([#11917])
125
126[#11816]: https://github.com/linkerd/linkerd2/pull/11816
127[#11784]: https://github.com/linkerd/linkerd2/issues/11784
128[#11805]: https://github.com/linkerd/linkerd2/pull/11805
129[#11882]: https://github.com/linkerd/linkerd2/pull/11882
130[#11699]: https://github.com/linkerd/linkerd2/pull/11699
131[#11073]: https://github.com/linkerd/linkerd2/issues/11073
132[#11875]: https://github.com/linkerd/linkerd2/pull/11875
133[#11839]: https://github.com/linkerd/linkerd2/issues/11839
134[#11889]: https://github.com/linkerd/linkerd2/pull/11889
135[#11907]: https://github.com/linkerd/linkerd2/pull/11907
136[#11917]: https://github.com/linkerd/linkerd2/pull/11917
137
138## edge-23.12.4
139
140This edge release includes fixes and improvements to the destination
141controller's endpoint resolution API.
142
143* Fixed an issue in the control plane where discovery for pod IP addresses could
144 hang indefinitely ([#11815])
145* Updated the proxy to enforce time limits on control plane response streams so
146 that proxies more naturally distribute load over control plane replicas
147 ([#11837])
148* Fixed the policy's controller service metadata responses so that proxy logs
149 and metrics have informative values ([#11842])
150
151[#11842]: https://github.com/linkerd/linkerd2/pull/11842
152[#11837]: https://github.com/linkerd/linkerd2/pull/11837
153[#11815]: https://github.com/linkerd/linkerd2/pull/11815
154
155## edge-23.12.3
156
157This edge release contains improvements to the logging and diagnostics of the
158destination controller.
159
160* Added a control plane metric to count errors talking to the Kubernetes API
161 ([#11774])
162* Fixed an issue causing spurious destination controller error messages for
163 profile lookups on unmeshed pods with port in default opaque list ([#11550])
164
165[#11774]: https://github.com/linkerd/linkerd2/pull/11774
166[#11550]: https://github.com/linkerd/linkerd2/pull/11550
167
168## edge-23.12.2
169
170This edge release includes a restructuring of the proxy's balancer along with
171accompanying new metrics. The new minimum supported Kubernetes version is 1.22.
172
173* Restructured the proxy's balancer ([#11750]): balancer changes may now occur
174 independently of request processing. Fail-fast circuit breaking is enforced on
175 the balancer's queue so that requests can't get stuck in a queue indefinitely.
176 This new balancer is instrumented with new metrics: request (in-queue) latency
177 histograms, failfast states, discovery updates counts, and balancer endpoint
178 pool sizes.
179* Changed how the policy controller updates HTTPRoute status so that it doesn't
180 affect statuses from other non-linkerd controllers ([#11705]; fixes [#11659])
181
182[#11750]: https://github.com/linkerd/linkerd2/pull/11750
183[#11705]: https://github.com/linkerd/linkerd2/pull/11705
184[#11659]: https://github.com/linkerd/linkerd2/pull/11659
185
186## edge-23.12.1
187
188This edge release introduces new configuration values in the identity
189controller for client-go's `QPS` and `Burst` settings. Default values for these
190settings have also been raised from `5` (QPS) and `10` (Burst) to `100` and
191`200` respectively.
192
193* Added `namespaceSelector` fields for the tap-injector and jaeger-injector
194 webhooks. The webhooks are now configured to skip `kube-system` by default
195 ([#11649]; fixes [#11647]) (thanks @mikutas!)
196* Added the ability to configure client-go's `QPS` and `Burst` settings in the
197 identity controller ([#11644])
198* Improved client-go logging visibility throughout the control plane's
199 components ([#11632])
200* Introduced `PodDisruptionBudgets` in the linkerd-viz Helm chart for tap and
201 tap-injector ([#11628]; fixes [#11248]) (thanks @mcharriere!)
202
203[#11649]: https://github.com/linkerd/linkerd2/pull/11649
204[#11647]: https://github.com/linkerd/linkerd2/issues/11647
205[#11644]: https://github.com/linkerd/linkerd2/pull/11644
206[#11632]: https://github.com/linkerd/linkerd2/pull/11632
207[#11628]: https://github.com/linkerd/linkerd2/pull/11628
208[#11248]: https://github.com/linkerd/linkerd2/issues/11248
209
210## edge-23.11.4
211
212This edge release introduces support for the native sidecar containers entering
213beta support in Kubernetes 1.29. This improves the startup and shutdown ordering
214for the proxy relative to other containers, fixing the long-standing
215shutdown issue with injected `Job`s. Furthermore, traffic from other
216`initContainer`s can now be proxied by Linkerd.
217
218In addition, this edge release includes Helm chart improvements, and improvements
219to the multicluster extension.
220
221* Added a new `config.alpha.linkerd.io/proxy-enable-native-sidecar` annotation
222 and `Proxy.NativeSidecar` Helm option that causes the proxy container to run
223 as an init-container (thanks @teejaded!) ([#11465]; fixes [#11461])
224* Fixed broken affinity rules for the multicluster `service-mirror` when running
225 in HA mode ([#11609]; fixes [#11603])
226* Added a new check to `linkerd check` that ensures all extension namespaces are
227 configured properly ([#11629]; fixes [#11509])
228* Updated the Prometheus Docker image used by the `linkerd-viz` extension to
229 v2.48.0, resolving a number of CVEs in older Prometheus versions ([#11633])
230* Added `nodeAffinity` to `deployment` templates in the `linkerd-viz` and
231 `linkerd-jaeger` Helm charts (thanks @naing2victor!) ([#11464]; fixes
232 [#10680])
233
234[#11465]: https://github.com/linkerd/linkerd2/pull/11465
235[#11461]: https://github.com/linkerd/linkerd2/issues/11461
236[#11609]: https://github.com/linkerd/linkerd2/pull/11609
237[#11603]: https://github.com/linkerd/linkerd2/issues/11603
238[#11629]: https://github.com/linkerd/linkerd2/pull/11629
239[#11509]: https://github.com/linkerd/linkerd2/issues/11509
240[#11633]: https://github.com/linkerd/linkerd2/pull/11633
241[#11464]: https://github.com/linkerd/linkerd2/pull/11464
242[#10680]: https://github.com/linkerd/linkerd2/issues/10680
243
244## edge-23.11.3
245
246This edge release fixes a bug where Linkerd could cause EOF errors during bursts
247of TCP connections.
248
249* Fixed a bug where the `linkerd multicluster link` command's
250 `--gateway-addresses` flag was not respected when a remote gateway exists
251 ([#11564])
252* proxy: Increased DEFAULT_OUTBOUND_TCP_QUEUE_CAPACITY to prevent EOF errors
253 during bursts of TCP connections
254
255[#11564]: https://github.com/linkerd/linkerd2/pull/11564
256
257## edge-23.11.2
258
259This edge release contains observability improvements and bug fixes to the
260Destination controller, and a refinement to the multicluster gateway resolution
261logic.
262
263* Fixed an issue where the Destination controller could stop processing service
264 profile updates, if a proxy subscribed to those updates stops reading them;
265 this is a followup to the issue [#11491] fixed in [edge-23.10.3] ([#11546])
266* In the Destination controller, added informer lag histogram metrics to track
267 whenever the Kubernetes objects watched by the controller are falling behind
268 the state in the kube-apiserver ([#11534])
269* In the multicluster service mirror, extended the target gateway resolution
270 logic to take into account all the possible IPs a hostname might resolve to,
271 rather than just the first one (thanks @MrFreezeex!) ([#11499])
272* Added probes to the debug container to appease environments requiring probes
273 for all containers ([#11308])
274
275[edge-23.10.3]: https://github.com/linkerd/linkerd2/releases/tag/edge-23.10.3
276[#11546]: https://github.com/linkerd/linkerd2/pull/11546
277[#11534]: https://github.com/linkerd/linkerd2/pull/11534
278[#11499]: https://github.com/linkerd/linkerd2/pull/11499
279[#11308]: https://github.com/linkerd/linkerd2/pull/11308
280
281## edge-23.11.1
282
283This edge release fixes two bugs in the Destination controller that could cause
284outbound connections to hang indefinitely.
285
286* helm: Introduce configurable values for protocol detection ([#11536])
287* destination: Fix GetProfiles error when address is opaque and unmeshed ([#11556])
288* destination: Return NotFound for unknown pod names ([#11540])
289* proxy: Log controller errors at WARN
290* proxy: Fix grpc_status metric labels for inbound traffic
291
292[#11536]: https://github.com/linkerd/linkerd2/pull/11536
293[#11556]: https://github.com/linkerd/linkerd2/pull/11556
294[#11540]: https://github.com/linkerd/linkerd2/pull/11540
295
296## edge-23.10.4
297
298This edge release includes a fix for the `ServiceProfile` CRD resource schema.
299The schema incorrectly required `not` response matches to be arrays, while the
300in-cluster validator parsed `not` response matches as objects. In addition, an
301issues has been fixed in `linkerd profile`. When used with the `--open-api`
302flag, it would not strip trailing slashes when generating a resource from
303swagger specifications.
304
305* Fixed an issue where trailing slashes wouldn't be stripped when generating
306 `ServiceProfile` resources through `linkerd profile --open-api` ([#11519])
307* Fixed an issue in the `ServiceProfile` CRD schema. The schema incorrectly
308 required that a `not` response match should be an array, which the service
309 profile validator rejected since it expected an object. The schema has been
310 updated to properly indicate that `not` values should be an object ([#11510];
311 fixes [#11483])
312* Improved logging in the destination controller by adding the client pod's
313 name to the logging context. This will improve visibility into the messages
314 sent and received by the control plane from a specific proxy ([#11532])
315* Fixed an issue in the destination controller where the metadata API would not
316 initialize a `Job` informer. The destination controller uses the metadata API
317 to retrieve `Job` metadata, and relies mostly on informers. Without an
318 initialized informer, an error message would be logged, and the controller
319 relied on direct API calls ([#11541]; fixes [#11531])
320
321[#11541]: https://github.com/linkerd/linkerd2/pull/11541
322[#11532]: https://github.com/linkerd/linkerd2/pull/11532
323[#11531]: https://github.com/linkerd/linkerd2/issues/11531
324[#11519]: https://github.com/linkerd/linkerd2/pull/11519
325[#11510]: https://github.com/linkerd/linkerd2/pull/11510
326[#11483]: https://github.com/linkerd/linkerd2/issues/11483
327
328## edge-23.10.3
329
330This edge release fixes issues in the proxy and Destination controller which can
331result in Linkerd proxies sending traffic to stale endpoints. In addition, it
332contains other bugfixes and updates dependencies to include patches for the
333security advisories [CVE-2023-44487]/GHSA-qppj-fm5r-hxr3 and GHSA-c827-hfw6-qwvm.
334
335* Fixed an issue where the Destination controller could stop processing
336 changes in the endpoints of a destination, if a proxy subscribed to that
337 destination stops reading service discovery updates. This issue results in
338 proxies attempting to send traffic for that destination to stale endpoints
339 ([#11491], fixes [#11480], [#11279], and [#10590])
340* Fixed a regression introduced in stable-2.13.0 where proxies would not
341 terminate unused service discovery watches, exerting backpressure on the
342 Destination controller which could cause it to become stuck
343 ([linkerd2-proxy#2484] and [linkerd2-proxy#2486])
344* Added `INFO`-level logging to the proxy when endpoints are added or removed
345 from a load balancer. These logs are enabled by default, and can be disabled
346 by [setting the proxy log level][proxy-log-level] to
347 `warn,linkerd=info,linkerd_proxy_balance=warn` or similar
348 ([linkerd2-proxy#2486])
349* Fixed a regression where the proxy rendered `grpc_status` metric labels as a
350 string rather than as the numeric status code ([linkerd2-proxy#2480]; fixes
351 [#11449])
352* Extended `linkerd-jaeger`'s `imagePullSecrets` Helm value to also apply to
353the `namespace-metadata` ServiceAccount ([#11504])
354* Updated the control plane's dependency on the `golang.google.org/grpc` Go
355 package to include patches for [CVE-2023-44487]/GHSA-qppj-fm5r-hxr3 ([#11496])
356* Updated dependencies on `rustix` to include patches for GHSA-c827-hfw6-qwvm
357 ([linkerd2-proxy#2488] and [#11512]).
358
359[#10590]: https://github.com/linkerd/linkerd2/issues/10590
360[#11279]: https://github.com/linkerd/linkerd2/issues/11279
361[#11491]: https://github.com/linkerd/linkerd2/pull/11491
362[#11449]: https://github.com/linkerd/linkerd2/issues/11449
363[#11480]: https://github.com/linkerd/linkerd2/issues/11480
364[#11504]: https://github.com/linkerd/linkerd2/issues/11504
365[#11512]: https://github.com/linkerd/linkerd2/issues/11512
366[linkerd2-proxy#2480]: https://github.com/linkerd/linkerd2-proxy/pull/2480
367[linkerd2-proxy#2484]: https://github.com/linkerd/linkerd2-proxy/pull/2484
368[linkerd2-proxy#2486]: https://github.com/linkerd/linkerd2-proxy/pull/2486
369[linkerd2-proxy#2488]: https://github.com/linkerd/linkerd2-proxy/pull/2488
370[proxy-log-level]: https://linkerd.io/2.14/tasks/modifying-proxy-log-level/
371[CVE-2023-44487]: https://github.com/advisories/GHSA-qppj-fm5r-hxr3
372
373## edge-23.10.2
374
375This edge release includes a fix addressing an issue during upgrades for
376instances not relying on automated webhook certificate management (like
377cert-manager provides).
378
379* Added a `checksum/config` annotation to the destination and proxy injector
380 deployment manifests, to force restarting those workloads whenever their
381 webhook secrets change during upgrade (thanks @iAnomaly!) ([#11440])
382* Fixed policy controller error when deleting a Gateway API HTTPRoute resource
383 ([#11471])
384
385[#11440]: https://github.com/linkerd/linkerd2/pull/11440
386[#11471]: https://github.com/linkerd/linkerd2/pull/11471
387
388## edge-23.10.1
389
390This edge release adds additional configurability to Linkerd's viz and
391multicluster extensions.
392
393* Added a `podAnnotations` Helm value to allow adding additional annotations to
394 the Linkerd-Viz Prometheus Deployment ([#11365]) (thanks @cemenson)
395* Added `imagePullSecrets` Helm values to the multicluster chart so that it can
396 be installed in an air-gapped environment. ([#11285]) (thanks @lhaussknecht)
397
398[#11365]: https://github.com/linkerd/linkerd2/issues/11365
399[#11285]: https://github.com/linkerd/linkerd2/issues/11285
400
401## edge-23.9.4
402
403This edge release makes Linkerd even better.
404
405* Added a controlPlaneVersion override to the `linkerd-control-plane` Helm chart
406 to support including SHA256 image digests in Linkerd manifests (thanks
407 @cromulentbanana!) ([#11406])
408* Improved `linkerd viz check` to attempt to validate that the Prometheus scrape
409 interval will work well with the CLI and Web query parameters ([#11376])
410* Improved CLI error handling to print differentiated error information when
411 versioncheck.linkerd.io cannot be resolved (thanks @dtaskai) ([#11377])
412* Fixed an issue where the destination controller would not update pod metadata
413 for profile resolutions for a pod accessed via the host network (e.g.
414 HostPort endpoints) ([#11334]).
415* Added a validating webhook config for httproutes.gateway.networking.k8s.io
416 resources (thanks @mikutas!) ([#11150])
417* Introduced a new `multicluster check --timeout` flag to limit the time
418 allowed for Kubernetes API calls (thanks @moki1202) ([#11420])
419
420[#11150]: https://github.com/linkerd/linkerd2/pull/11150
421[#11334]: https://github.com/linkerd/linkerd2/pull/11334
422[#11376]: https://github.com/linkerd/linkerd2/pull/11376
423[#11377]: https://github.com/linkerd/linkerd2/pull/11377
424[#11406]: https://github.com/linkerd/linkerd2/pull/11406
425[#11420]: https://github.com/linkerd/linkerd2/pull/11420
426
427## edge-23.9.3
428
429This edge release updates the proxy's dependency on the `rustls` library to
430patch security vulnerability [RUSTSEC-2023-0052][RUSTSEC-2023-0052-0]
431(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when
432acceting a TLS handshake from an untrusted peer with a maliciously-crafted
433certificate. Furthermore, this edge release contains a few improvements to the
434control plane and jaeger extension Helm charts.
435
436* Addressed security vulnerability [RUSTSEC-2023-0052][RUSTSEC-2023-0052-0] in
437 the proxy by updating its dependency on the `rustls` library
438* Added a `prometheusUrl` field for the heartbeat job in the control plane Helm
439 chart (thanks @david972!) ([#11343]; fixes [#11342])
440* Introduced support for arbitrary labels in the `podMonitors` field in the
441 control plane Helm chart (thanks @jseiser!) ([#11222]; fixes [#11175])
442* Added support for config merge and Deployment environment to
443 `opentelemetry-collector` in the jaeger extension (thanks @iAnomaly!)
444 ([#11283])
445
446[#11283]: https://github.com/linkerd/linkerd2/pull/11283
447[#11222]: https://github.com/linkerd/linkerd2/pull/11222
448[#11175]: https://github.com/linkerd/linkerd2/issues/11175
449[#11343]: https://github.com/linkerd/linkerd2/pull/11343
450[#11342]: https://github.com/linkerd/linkerd2/issues/11342
451[RUSTSEC-2023-0052-0]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
452
453## edge-23.9.2
454
455This edge release updates the proxy's dependency on the `webpki` library to
456patch security vulnerability [RUSTSEC-2023-0052] (GHSA-8qv2-5vq6-g2g7), a
457potential CPU usage denial-of-service attack when accepting a TLS handshake from
458an untrusted peer with a maliciously-crafted certificate.
459
460* Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy ([#11361])
461* Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods
462 in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280])
463* Removed unnecessary `linkerd.io/helm-release-version` annotation from the
464 `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes
465 [#10778])
466
467[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
468[#11295]: https://github.com/linkerd/linkerd2/pull/11295
469[#11280]: https://github.com/linkerd/linkerd2/issues/11280
470[#11361]: https://github.com/linkerd/linkerd2/pull/11361
471[#11329]: https://github.com/linkerd/linkerd2/pull/11329
472[#10778]: https://github.com/linkerd/linkerd2/issues/10778
473
474## edge-23.9.1
475
476This edge release introduces a fix for service discovery on endpoints that use
477hostPorts. Previously, the destination service would return the pod IP for the
478discovery request which could break connectivity on pod restart. To fix this,
479direct pod communication for a pod bound on a hostPort will always return the
480hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
481detected in the CNI plugin and proxy-init images, and includes a number of other
482fixes and small improvements.
483
484* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
485 ([#11296])
486* Introduced resource requests/limits for the policy controller resource in the
487 control plane helm chart ([#11301])
488* Fixed an issue where an empty `remoteDiscoverySelector` field in a
489 multicluster link would cause all services to be mirrored ([#11309])
490* Removed time out from `linkerd multicluster gateways` command; when no
491 metrics exist the command will return instantly ([#11265])
492* Improved help messaging for `linkerd multicluster link` ([#11265])
493* Changed how hostPort lookups are handled in the destination service.
494 Previously, when doing service discovery for an endpoint bound on a hostPort,
495 the destination service would return the corresponding pod IP. On pod
496 restart, this could lead to loss of connectivity on the client's side. The
497 destination service now always returns host IPs for service discovery on an
498 endpoint that uses hostPorts ([#11328])
499* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
500 (thanks @mikutas!) ([#11149])
501* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
502 inject` (thanks @mikutas!) ([#10231])
503
504[#11309]: https://github.com/linkerd/linkerd2/issues/11309
505[#11296]: https://github.com/linkerd/linkerd2/discussions/11296
506[#11328]: https://github.com/linkerd/linkerd2/pull/11328
507[#11301]: https://github.com/linkerd/linkerd2/issues/11301
508[#11265]: https://github.com/linkerd/linkerd2/pull/11265
509[#11149]: https://github.com/linkerd/linkerd2/pull/11149
510[#10231]: https://github.com/linkerd/linkerd2/issues/10231
511
512## stable-2.14.0
513
514This release introduces direct pod-to-pod multicluster service mirroring. When
515clusters are deployed on a flat network, Linkerd can export multicluster
516services in a way where cross-cluster traffic does not need to go through the
517gateway. This enhances multicluster authentication and can reduce the need for
518provisioning public load balancers.
519
520In addition, this release adds support for the
521[Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoute resource (in the
522`gateway.networking.k8s.io` api group). This improves compatibility with other
523tools that use these resources such as [Flagger](https://flagger.app/) and
524[Argo Rollouts](https://argoproj.github.io/rollouts/). The release also includes
525a large number of features and improvements to HTTPRoute including the ability
526to set timeouts and the ability to define consumer-namespace HTTPRoutes.
527
528Finally, this release includes a number of bugfixes, performance improvements,
529and other smaller additions.
530
531**Upgrade notes**: Please see the
532[upgrade instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2140).
533
534* Multicluster
535 * Remove namespace field from cluster scoped resources to fix pruning
536 * Added -o json flag for the `linkerd multicluster gateways` command (thanks
537 @hiteshwani29)
538 * Introduced `logFormat` value to the multicluster `Link` Helm Chart (thanks
539 @bunnybilou!)
540 * Added leader-election capabilities to the service-mirror controller
541 * Added high-availability (HA) mode for the multicluster service-mirror
542 * Added a new `remoteDiscoverySelector` field to the multicluster `Link` CRD,
543 which enables a service mirroring mode where the control plane
544 performs discovery for the mirrored service from the remote cluster, rather
545 than creating Endpoints for the mirrored service in the source cluster
546* HTTPRoute
547 * Fixed `linkerd uninstall` issue for HTTPRoute
548 * Added support for `gateway.networking.k8s.io` HTTPRoutes in the policy
549 controller
550 * Added support for RequestHeaderModifier and RequestRedirect HTTP filters in
551 outbound policy; filters may be added at the route or backend level
552 * Added support for the `ResponseHeaderModifier` HTTPRoute filter
553 * Added support for HTTPRoutes defined in the consumer namespace
554 * Added support for HTTPRoute `parent_refs` that do not specify a port
555* CRDs
556 * Patched the MeshTLSAuthentication CRD to force providing at least one
557 identity/identityRef
558* Control Plane
559 * Send Opaque protocol hint for opaque ports in destination controller
560 * Replaced deprecated `failure-domain.beta.kubernetes.io/zone` labels in Helm
561 charts with `topology.kubernetes.io/zone` labels (thanks @piyushsingariya!)
562 * Replaced `server_port_subscribers` Destination controller gauge metric with
563 `server_port_subscribes` and `server_port_unsubscribes` counter metrics
564* Proxy
565 * Handle Opaque protocol hints on endpoints
566 * Added `outbound_http_balancer_endpoints` metric
567 * Fixed missing route_ metrics for requests with ServiceProfiles
568 * Fixed proxy startup failure when using the `config.linkerd.io/admin-port`
569 annotation (thanks @jclegras!)
570 * Added distinguishable version information to proxy logs and metrics
571* CLI
572 * The `linkerd diagnostics policy` command now displays outbound policy when
573 the target resource is a Service
574 * A fix for HA validation checks when Linkerd is installed with Helm. Thanks
575 @mikutas!!
576* Viz
577 * Add the `kubelet` NetworkAuthentication back since it is used by the
578 `linkerd viz allow-scrapes` subcommand.
579 * Fixed the `linkerd viz check` command so that it will wait until the viz
580 extension becomes ready
581 * Fixed an issue where specifying a `remote_write` config would cause the
582 Prometheus config to be invalid (thanks @hiteshwani29)
583 * Improved validation of the `--to` and `--from` flags for the `linkerd viz stat`
584 command (thanks @pranoyk)
585 * Added `-o jsonpath` flag to `linkerd viz tap` to allow filtering output fields
586 (thanks @hiteshwani29!)
587 * Fixed a Grafana error caused by an incorrect datasource (thanks @albundy83!)
588 * Fixed missing "Services" menu item in the Spanish localization for the
589 `linkerd-viz` web dashboard (thanks @mclavel!)
590* Extensions
591 * Added missing label `linkerd.io/extension` to certain resources to ensure they
592 pruned when appropriate (thanks @ClementRepo)
593 * Added tolerations and nodeSelector support in extensions `namespace-metadata`
594 Jobs (thanks @pssalman!)
595* Init Containers
596 * Added an option for disabling the network validator's security context for
597 environments that provide their own
598* CNI
599 * Added --set flag to install-cni plugin (thanks @amit-62!)
600 * Fixed missing resource-cni labels on linkerd-cni, this blocked the
601 linkerd-cni pods from coming up when the injector was broken (thanks
602 @migueleliasweb!)
603* Build
604 * Build improvements for multi-arch build artifacts. Thanks @MarkSRobinson!!
605
606This release includes changes from a massive list of contributors! A special
607thank-you to everyone who helped make this release possible:
608
609* Amir Karimi @AMK9978
610* Amit Kumar @amit-62
611* Andre Marcelo-Tanner @kzap
612* Andrew @andrew-gropyus
613* Arnaud Beun @bunnybilou
614* Clement @proxfly
615* Dima @krabradosty
616* Grégoire Bellon-Gervais @albundy83
617* Harsh Soni @harsh020
618* Jean-Charles Legras @jclegras
619* Loong Dai @daixiang0
620* Mark Robinson @MarkSRobinson
621* Miguel Elias dos Santos @migueleliasweb
622* Pranoy Kumar Kundu @pranoyk
623* Ryan Hristovski @ryanhristovski
624* Takumi Sue @mikutas
625* Zakhar Bessarab @zekker6
626* hiteshwani29 @hiteshwani29
627* pheianox
628* pssalman @pssalman
629
630## edge-23.8.3
631
632This is a release candidate for stable-2.14.0; we encourage you to help trying
633it out!
634
635This edge release contains a number of improvements over the multi-cluster
636features introduced in the last edge release supporting flat networks. It also
637hardens the containers security stance by removing write access to the root
638filesystem.
639
640* Enhanced `linkerd multicluster link` to allow clusters to be linked without a
641 gateway ([#11226])
642* Added cluster store size gauge metric ([#11256])
643* Disabled local traffic policy for remote discovery ([#11257])
644* Fixed various innocuous multi-cluster warnings ([#11251], [#11246], [#11253])
645* Set `readOnlyRootFilesystem: true` in all the containers, as they don't
646 require write permissions ([#11221]; fixes [#11142]) (thanks @mikutas!)
647
648[#11226]: https://github.com/linkerd/linkerd2/pull/11226
649[#11256]: https://github.com/linkerd/linkerd2/pull/11256
650[#11257]: https://github.com/linkerd/linkerd2/pull/11257
651[#11251]: https://github.com/linkerd/linkerd2/pull/11251
652[#11246]: https://github.com/linkerd/linkerd2/pull/11246
653[#11253]: https://github.com/linkerd/linkerd2/pull/11253
654[#11221]: https://github.com/linkerd/linkerd2/pull/11221
655[#11142]: https://github.com/linkerd/linkerd2/issues/11142
656
657## edge-23.8.2
658
659This edge release adds improvements to Linkerd's multi-cluster features as part
660of the [flat network support] planned for Linkerd stable-2.14.0. In addition, it
661fixes an issue ([#10764]) where warnings about an invalid metric were logged
662frequently by the Destination controller.
663
664* Added a new `remoteDiscoverySelector` field to the multicluster `Link` CRD,
665 which enables a service mirroring mode where the control plane
666 performs discovery for the mirrored service from the remote cluster, rather
667 than creating Endpoints for the mirrored service in the source cluster
668 ([#11190], [#11201], [#11220], and [#11224])
669* Fixed missing "Services" menu item in the Spanish localization for the
670 `linkerd-viz` web dashboard ([#11229]) (thanks @mclavel!)
671* Replaced `server_port_subscribers` Destination controller gauge metric with
672 `server_port_subscribes` and `server_port_unsubscribes` counter metrics
673 ([#11206]; fixes [#10764])
674* Replaced deprecated `failure-domain.beta.kubernetes.io/zone` labels in Helm
675 charts with `topology.kubernetes.io/zone` labels ([#11148]; fixes [#11114])
676 (thanks @piyushsingariya!)
677
678[#10764]: https://github.com/linkerd/linkerd2/issues/10764
679[#11114]: https://github.com/linkerd/linkerd2/issues/11114
680[#11148]: https://github.com/linkerd/linkerd2/issues/11148
681[#11190]: https://github.com/linkerd/linkerd2/issues/11190
682[#11201]: https://github.com/linkerd/linkerd2/issues/11201
683[#11206]: https://github.com/linkerd/linkerd2/issues/11206
684[#11220]: https://github.com/linkerd/linkerd2/issues/11220
685[#11224]: https://github.com/linkerd/linkerd2/issues/11224
686[#11229]: https://github.com/linkerd/linkerd2/issues/11229
687[flat network support]: https://linkerd.io/2023/07/20/enterprise-multi-cluster-at-scale-supporting-flat-networks-in-linkerd/
688
689## edge-23.8.1
690
691This edge release restores a proxy setting for it to shed load less aggressively
692while under high load, which should result in lower error rates (see #11055). It
693also removes the usage of host networking in the linkerd-cni extension.
694
695* Changed the default HTTP request queue capacities for the inbound and outbound
696 proxies back to 10,000 requests (see #11055 and #11198)
697* Lifted need of using host networking in the linkerd-cni Daemonset (#11141)
698 (thanks @abhijeetgauravm!)
699
700## edge-23.7.3
701
702This edge release improves Linkerd's support for HttpRoute by allowing
703`parent_ref` ports to be optional, allowing HttpRoutes to be defined in a
704consumer's namespace, and adding support for the `ResponseHeaderModifier` filter.
705It also fixes a panic in the destination controller.
706
707* Added an option for disabling the network validator's security context for
708 environments that provide their own
709* Added high-availability (HA) mode for the multicluster service-mirror
710* Added support for HttpRoute `parent_refs` that do not specify a port
711* Fixed a Grafana error caused by an incorrect datasource (thanks @albundy83!)
712* Added support for HttpRoutes defined in the consumer namespace
713* Improved the granularity of logging levels in the control plane
714* Fixed a race condition in the destination controller that could cause it to
715 panic
716* Added support for the `ResponseHeaderModifier` HttpRoute filter
717* Updated extension CLI commands to prefer the `--register` flag over the
718 `LINKERD_DOCKER_REGISTRY` environment variable, making the precedence more
719 consistent (thanks @harsh020!)
720
721## edge-23.7.2
722
723This edge release introduces support for HTTP filters configured through both
724`policy.linkerd.io` and `gateway.networking.k8s.io` HTTPRoute resources.
725Currently, RequestHeaderModifier and RequestRedirect HTTP filters are
726supported. Additionally, this release fixes an issue with the linkerd-cni
727chart.
728
729* Added support for RequestHeaderModifier and RequestRedirect HTTP filters in
730 outbound policy; filters may be added at the route or backend level
731* Fixed missing resource-cni labels on linkerd-cni, this blocked the
732 linkerd-cni pods from coming up when the injector was broken (thanks
733 @migueleliasweb!)
734
735## edge-23.7.1
736
737This edge release adds support for the upstream `gateway.networking.k8s.io`
738HTTPRoute resource (in addition to the `policy.linkerd.io` CRD installed by
739Linkerd). Furthermore, it fixes a bug where the ingress-mode proxy would fail to
740fall back to ServiceProfiles for destinations without HTTPRoutes.
741
742* Added support for `gateway.networking.k8s.io` HTTPRoutes in the policy
743 controller
744* Added distinguishable version information to proxy logs and metrics
745* Fixed incorrect handling of `NotFound` client policies in ingress-mode proxies
746
747## edge-23.6.3
748
749This edge release adds leader-election capabilities to the service-mirror
750controller under the hood, as a precursor to HA mode in an upcoming release. It
751also includes a `linkerd viz tap` improvement and a proxy startup bugfix, both
752contributed by the community!
753
754* Added leader-election capabilities to the service-mirror controller
755* Added `-o jsonpath` flag to `linkerd viz tap` to allow filtering output fields
756 (thanks @hiteshwani29!)
757* Fixed proxy startup failure when using the `config.linkerd.io/admin-port`
758 annotation (thanks @jclegras!)
759
760## edge-23.6.2
761
762This edge release introduces timeout capabilities for HTTPRoutes in a manner
763compatible with the proposed changes to HTTPRoute in
764[kubernetes-sigs/gateway-api#1997](https://github.com/kubernetes-sigs/gateway-api/pull/1997).
765
766This release also includes several small improvements and fixes:
767
768* A fix for HA validation checks when Linkerd is installed with Helm. Thanks
769@mikutas!!
770* Build improvements for multi-arch build artifacts. Thanks @MarkSRobinson!!
771
772## edge-23.6.1
773
774This edge release changes the behavior of the CNI plugin to run exclusively in
775"chained mode". Instead of creating its own configuration file, the CNI plugin
776will now wait until a `conf` file exists before appending its configuration.
777Additionally, this change includes a bug fix for topology aware service
778routing.
779
780* Changed the CNI plugin installer to always run in 'chained' mode; the plugin will
781 now wait until another CNI plugin is installed before appending its
782 configuration
783* Fixed bug where topology routing would not disable while service was under
784 load (thanks @MarkSRobinson!)
785* Introduced `logFormat` value to the multicluster `Link` Helm Chart (thanks
786 @bunnybilou!)
787
788## edge-23.5.3
789
790This edge release includes fixes for several bugs related to HTTPRoute handling.
791
792* Fixed an issue where the `namespace` field on HTTPRoute `backendRef`s was
793 ignored, and the backend Service would always be assumed to be in the
794 namespace as the parent Service
795* Fixed an issue where default authorizations generated for readiness and
796 liveness probes would fail if the probe path included URI query parameters
797* Fixed the proxy not using gRPC response classification for gRPC requests to
798 destinations without ServiceProfiles
799
800## edge-23.5.2
801
802This edge release adds some minor improvements in the MeshTLSAuthentication CRD
803and the extensions charts, and fixes an issue with `linkerd multicluster check`.
804
805* Added tolerations and nodeSelector support in extensions `namespace-metadata`
806 Jobs (thanks @pssalman!)
807* Patched the MeshTLSAuthentication CRD to force providing at least one
808 identity/identityRef
809* Fixed the `linkerd multicluster check` command failing in the presence of lots
810 of mirrored services
811
812## edge-23.5.1
813
814This edge release introduces the ability to configure the proxy's discovery cache
815timeouts via annotations. While most users will not need to do this, it can be
816useful to improve the mesh's resilience to control plane failures. This release
817also includes a number of other important improvements and bug fixes.
818
819* Added -o json flag for the `linkerd multicluster gateways` command (thanks
820 @hiteshwani29)
821* Added missing label `linkerd.io/extension` to certain resources to ensure they
822 pruned when appropriate (thanks @ClementRepo)
823* Fixed a memory leak in the service mirror controller
824* Improved validation of the `--to` and `--from` flags for the `linkerd viz stat`
825 command (thanks @pranoyk)
826* Fixed an issue with W3C trace context propagation which caused proxy spans to
827 be siblings rather than children of their original parent (thanks
828 @whiskeysierra)
829* Updated the Linkerd CNI plugin base docker image from Debian to Alpine
830* Fixed an issue where specifying a `remote_write` config would cause the
831 Prometheus config to be invalid (thanks @hiteshwani29)
832* Added the ability to configure the proxy's discovery cache timeouts with the
833 `config.linkerd.io/proxy-outbound-discovery-cache-unused-timeout` and
834 `config.linkerd.io/proxy-inbound-discovery-cache-unused-timeout` annotations
835* Fixed the `linkerd viz check` command so that it will wait until the viz
836 extension becomes ready
837* Fixed an issue where meshed pods could not communicate with themselves through
838 a ClusterIP Service
839
840## edge-23.4.3
841
842This edge release improves compatibility with ArgoCD by changing the Linkerd
843control plane to create Lease resources at runtime rather than including them
844in the Helm chart. It also addresses a CVE by upgrading an underlying
845dependency.
846
847* Upgraded `h2` dependency to address CVE-2023-26964
848* Fixed an issue where `server_port_subscribers` metric in the Destination
849 controller was sometimes absent
850* Removed the policy-controller-write Lease from the control plane Helm chart in
851 favor of creating it at runtime
852* Updated the proxy-injector to pass opaque port lists to the proxy as ranges
853 rather than individually, greatly reducing the size of proxy manifests when
854 large opaque port ranges are set
855* Fixed an issue where the proxy was performing protocol detection on ports
856 marked as opaque
857* Improved backwards compatibility between 2.13 proxies and 2.12 control planes
858
859## edge-23.4.2
860
861This edge release contains a number of bug fixes.
862
863* CLI
864 * Fixed `linkerd uninstall` issue for HttpRoute
865 * The `linkerd diagnostics policy` command now displays outbound policy when
866 the target resource is a Service
867
868* CNI
869 * Fixed incompatibility issue with AWS CNI addon in EKS, that was
870 forbidding pods to acquire networking after scaling up nodes.
871 (thanks @frimik!)
872 * Added --set flag to install-cni plugin (thanks @amit-62!)
873
874* Control Plane
875 * Fixed an issue where the policy controller always used the default
876 `cluster.local` domain
877 * Send Opaque protocol hint for opaque ports in destination controller
878
879* Helm
880 * Fixed an issue in the viz Helm chart where the namespace metadata template
881 would throw `unexpected argument found` errors
882 * Fixed Jaeger chart installation failure
883
884* Multicluster
885 * Remove namespace field from cluster scoped resources to fix pruning
886
887* Proxy
888 * Updated `h2` dependency to include a patch for a theoretical
889 denial-of-service vulnerability discovered in CVE-2023-26964
890 * Handle Opaque protocol hints on endpoints
891 * Changed the proxy's default log level to silence warnings from
892 `trust_dns_proto` that are generally spurious.
893 * Added `outbound_http_balancer_endpoints` metric
894 * Fixed missing route_ metrics for requests with ServiceProfiles
895
896* Viz
897 * Bump prometheus image to v2.43.0
898 * Add the `kubelet` NetworkAuthentication back since it is used by the
899`linkerd viz allow-scrapes` subcommand.
900
901## stable-2.13.1
902
903This stable release fixes an issue in the policy controller where a non-default
904cluster domain would return incorrect authorities in the outbound policy API.
905Additionally, this release updates a proxy dependency to fix CVE-2023-2694.
906
907* Proxy
908 * Updated `h2` dependency to include a patch for a theoretical
909 denial-of-service vulnerability discovered in CVE-2023-26964
910
911* Control Plane
912 * Fixed an issue where the policy controller always used the default
913 `cluster.local` domain
914
915* Helm
916 * Fixed an issue in the viz Helm chart where the namespace metadata template
917 would throw `unexpected argument found` errors
918
919## stable-2.13.0
920
921This release introduces client-side policy to Linkerd, including dynamic routing
922and circuit breaking. [Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoutes
923can now be used to configure policy for outbound (client) proxies as well as
924inbound (server) proxies, by creating HTTPRoutes with Service resources as their
925`parentRef`. See the Linkerd documentation for tutorials on [dynamic request
926routing] and [circuit breaking]. New functionality for debugging HTTPRoute-based
927policy is also included in this release, including [new proxy metrics] and the
928ability to display outbound policies in the `linkerd diagnostics policy` CLI
929command.
930
931In addition, this release adds `network-validator`, a new init container to be
932used when CNI is enabled. `network-validator` ensures that local iptables rules
933are working as expected. It will validate this before linkerd-proxy starts.
934`network-validator` replaces the `noop` container, runs as `nobody`, and drops
935all capabilities before starting.
936
937Finally, this release includes a number of bugfixes, performance improvements,
938and other smaller additions.
939
940**Upgrade notes**: Please see the [upgrade instructions][upgrade-2130].
941
942* CRDs
943 * HTTPRoutes may now have Service parents, to configure outbound policy
944 * Updated HTTPRoute version from `v1alpha1` to `v1beta2`
945
946* CLI
947 * Added a new `linkerd prune` command to the CLI (including most extensions) to
948 remove resources which are no longer part of Linkerd's manifests
949 * Added additional shortnames for Linkerd policy resources (thanks @javaducky!)
950 * The `linkerd diagnostics policy` command now displays outbound policy when
951 the target resource is a Service
952
953* Control Plane
954 * The policy controller now discovers outbound policy configurations from
955 HTTPRoutes that target Services.
956 * Added OutboundPolicies API, for use by `linkerd-proxy` to route
957 outbound traffic
958 * Added Prometheus `/metrics` endpoint to the admin server, with process
959 metrics
960 * Fixed QueryParamMatch parsing for HTTPRoutes
961 * Added the policy status controller which writes the `status` field to
962 HTTPRoutes when a parent reference Server accepts or rejects it
963 * Added KubeAPI server ports to `ignoreOutboundPorts` of `proxy-injector`
964 * No longer apply `waitBeforeExitSeconds` to control plane, viz and jaeger
965 extension pods
966 * Added support for the `internalTrafficPolicy` of a service (thanks @yc185050!)
967 * Added block chomping to strip trailing new lines in ConfigMap (thanks @avdicl!)
968 * Added protection against nil dereference in resources helm template
969 * Added support for Pod Security Admission (Pod Security Policy resources are
970 still supported but disabled by default)
971 * Lowered non-actionable error messages in the Destination log to debug-level
972 entries to avoid triggering false alarms (thanks @siddharthshubhampal!)
973 * Fixed an issue with EndpointSlice endpoint reconciliation on slice deletion;
974 when using more than one slice, a `NoEndpoints` event would be sent to the
975 proxy regardless of the amount of endpoints that were still available
976 (thanks @utay!)
977 * Improved diagnostic log messages
978 * Fixed sending of spurious profile updates
979 * Removed unnecessary Namespaces access from the destination controller RBAC
980 * Added the server_port_subscribers metric to track the number of subscribers
981 to Server changes associated with a pod's port
982 * Added the service_subscribers metric to track the number of subscribers to
983 Service changes
984 * Fixed a small memory leak in the opaque ports watcher
985
986* Proxy
987 * Use the new OutboundPolicies API, supporting Gateway API-style routes
988 in the outbound proxy
989 * Added support for dynamic request routing based on HTTPRoutes
990 * Added HTTP circuit breaking
991 * Added `outbound_route_backend_http_requests_total`,
992 `outbound_route_backend_grpc_requests_total`, and
993 `outbound_http_balancer_endpoints` metrics
994 * Changed the proxy's behavior when traffic splitting so that only services
995 that are not in failfast are used. This will enable the proxy to manage
996 failover without external coordination
997 * Updated tokio (async runtime) in the proxy which should reduce CPU usage,
998 especially for proxy's pod local (i.e in the same network namespace)
999 communication
1000
1001* linkerd-proxy-init
1002 * Changed `proxy-init` iptables rules to be idempotent upon init pod
1003 restart (thanks @jim-minter!)
1004 * Improved logging in `proxy-init` and `linkerd-cni`
1005 * Added a `proxyInit.privileged` setting to control whether the `proxy-init`
1006 initContainer runs as a privileged process
1007
1008* CNI
1009 * Added static and dynamic port overrides for CNI eBPF to work with socket-level
1010 load balancing
1011 * Added `network-validator` init container to ensure that iptables rules are
1012 working as expected
1013 * Added a `resources` field in the linkerd-cni chart (thanks @jcogilvie!)
1014
1015* Viz
1016 * Added `tap.ignoredHeaders` Helm value to the linkerd-viz chart. This value
1017 allows users to specify a comma-separated list of header names which will be
1018 ignored by Linkerd Tap (thanks @ryanhristovski!)
1019 * Removed duplicate SecurityContext in Prometheus manifest
1020 * Added new flag `--viz-namespace` which avoids requiring permissions for
1021 listing all namespaces in `linkerd viz` subcommands (thanks @danibaeyens!)
1022 * Removed the TrafficSplit page from the Linkerd viz dashboard (thanks
1023 @h-dav!)
1024 * Introduced new values in the `viz` chart to allow for arbitrary annotations
1025 on the `Service` objects (thanks @sgrzemski!)
1026 * Added an optional AuthorizationPolicy to authorize Grafana to Prometheus
1027 in the Viz extension
1028
1029* Multicluster
1030 * Removed duplicate AuthorizationPolicy for probes from the multicluster
1031 gateway Helm chart
1032 * Updated wording for linkerd-multicluster cluster when it fails to probe a
1033 remote gateway mirror
1034 * Added multicluster gateway `nodeSelector` and `tolerations` helm parameters
1035 * Added new configuration options for the multicluster gateway:
1036 * `gateway.deploymentAnnotations`
1037 * `gateway.terminationGracePeriodSeconds` (thanks @bunnybilou!)
1038 * `gateway.loadBalancerSourceRanges` (thanks @Tyrion85!)
1039
1040* Extensions
1041 * Removed dependency on the `curlimages/curl` 3rd-party image used to initialize
1042 extensions namespaces metadata (so they are visible by `linkerd check`),
1043 replaced by the new `extension-init` image
1044 * Converted `ServerAuthorization` resources to `AuthorizationPolicy` resources
1045 in Linkerd extensions
1046 * Removed policy resources bound to admin servers in extensions (previously
1047 these resources were used to authorize probes but now are authorized by
1048 default)
1049 * Fixed the link to the Jaeger dashboard the in viz dashboard (thanks
1050 @eugenegoncharuk!)
1051 * Updated linkerd-jaeger's collector to expose port 4318 in order support HTTP
1052 alongside gRPC (thanks @uralsemih!)
1053
1054* Among other dependency updates, the no-longer maintained ghodss/yaml library
1055 was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)
1056
1057This release includes changes from a massive list of contributors! A special
1058thank-you to everyone who helped make this release possible:
1059
1060* Andrew Pinkham [@jambonrose](https://github.com/jambonrose)
1061* Arnaud Beun [@bunnybilou](https://github.com/bunnybilou)
1062* Carlos Tadeu Panato Junior [@cpanato](https://github.com/cpanato)
1063* Christian Segundo [@someone-stole-my-name](https://github.com/someone-stole-my-name)
1064* Dani Baeyens [@danibaeyens](https://github.com/danibaeyens)
1065* Duc Tran [@ductnn](https://github.com/ductnn)
1066* Eng Zer Jun [@Juneezee](https://github.com/Juneezee)
1067* Ivan Ivic [@Tyrion85](https://github.com/Tyrion85)
1068* Joe Bowbeer [@joebowbeer](https://github.com/joebowbeer)
1069* Jonathan Ogilvie [@jcogilvie](https://github.com/jcogilvie)
1070* Jun [@junnplus](https://github.com/junnplus)
1071* Loong Dai [@daixiang0](https://github.com/daixiang0)
1072* María Teresa Rojas [@mtrojas](https://github.com/mtrojas)
1073* Mo Sattler [@MoSattler](https://github.com/MoSattler)
1074* Oleg Vorobev [@olegy2008](https://github.com/olegy2008)
1075* Paul Balogh [@javaducky](https://github.com/javaducky)
1076* Peter Smit [@psmit](https://github.com/psmit)
1077* Ryan Hristovski [@ryanhristovski](https://github.com/ryanhristovski)
1078* Semih Ural [@uralsemih](https://github.com/uralsemih)
1079* Shubhodeep Mukherjee [@shubhodeep9](https://github.com/shubhodeep9)
1080* Siddharth S Pal [@siddharthshubhampal](https://github.com/siddharthshubhampal)
1081* Subhash Choudhary [@subhashchy](https://github.com/subhashchy)
1082* Szymon Grzemski [@sgrzemski](https://github.com/sgrzemski)
1083* Takumi Sue [@mikutas](https://github.com/mikutas)
1084* Yannick Utard [@utay](https://github.com/utay)
1085* Yu Cao [@yc185050](https://github.com/yc185050)
1086* anoxape [@anoxape](https://github.com/anoxape)
1087* bastienbosser [@bastienbosser](https://github.com/bastienbosser)
1088* bitfactory-sem-denbroeder [@bitfactory-sem-denbroeder](https://github.com/bitfactory-sem-denbroeder)
1089* cui fliter [@cuishuang](https://github.com/cuishuang)
1090* eugenegoncharuk [@eugenegoncharuk](https://github.com/eugenegoncharuk)
1091* h-dav @[h-dav](https://github.com/h-dav)
1092* martinkubrak [@martinkubra](https://github.com/martinkubra)
1093* verbotenj [@verbotenj](https://github.com/verbotenj)
1094* ziollek [@ziollek](https://github.com/ziollek)
1095
1096[dynamic request routing]: https://linkerd.io/2.13/tasks/configuring-dynamic-request-routing
1097[circuit breaking]: https://linkerd.io/2.13/tasks/circuit-breakers
1098[new proxy metrics]: https://linkerd.io/2.13/reference/proxy-metrics/#outbound-xroute-metrics
1099[upgrade-2130]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2130
1100
1101## edge-23.4.1
1102
1103This is a release candidate for stable-2.13.0 — we encourage you to help
1104try it out!
1105
1106This edge release introduces request-level HTTP circuit-breaking
1107using a consecutive failures failure accrual policy. Circuit breaking can be
1108configured by adding failure accrual annotations to a Service. In addition, this
1109release adds new `outbound_route_backend_http_requests_total` and
1110`outbound_route_backend_grpc_requests_total` proxy metrics, which can be
1111used to track how routing rules and backend distributions apply to
1112requests. These metrics contain labels describing the route's parent
1113(i.e. a Service), the route resource being used, and the backend
1114resource being used by each request.
1115
1116* Proxy
1117 * Added discovery of failure accrual policies from the OutboundPolicy API
1118 * Implemented consecutive failures failure accrual policy
1119 * Added INFO-level logging on failure accrual changes
1120 * Added `outbound_route_backend_http_requests_total` and
1121 `outbound_route_backend_grpc_requests_total` metrics
1122
1123* Policy Controller
1124 * Added failure accrual configuration to the OutboundPolicy API
1125 * Added Prometheus `/metrics` endpoint to the admin server, with process
1126 metrics
1127 * Changed the policy controller to only accept HTTPRoutes when the parentRef
1128 is a ClusterIP Service
1129 * Added ports to service references in the OutboundPolicy API
1130
1131* Viz
1132 * Added `tap.ignoredHeaders` Helm value to the linkerd-viz chart. This value
1133 allows users to specify a comma-separated list of header names which will be
1134 ignored by Linkerd Tap (thanks @ryanhristovski!)
1135 * Removed duplicate SecurityContext in Prometheus manifest
1136
1137* Multicluster
1138 * Removed duplicate AuthorizationPolicy for probes from the multicluster
1139 gateway Helm chart
1140
1141## edge-23.3.4
1142
1143This edge release further enhances the OutboundPolicies API used by the proxy to
1144route outbound traffic, and continues extending the HTTPRoute resource's Status
1145field. It also starts integrating circuit-breaking functionality into the proxy,
1146which will be configurable in a subsequent iteration.
1147
1148* Continued iterating on the HTTPRoute's Status field, by extending support for
1149 routes parented to Services, and adding a ResolvedRefs condition reflecting
1150 the status of BackendRefs
1151* Updated the OutboundPolicies API such that only HTTPRoutes with an Accepted
1152 status of `true` are considered when routing outbound requests
1153* Improved handling of invalid backends, allowing the configuration of error
1154 responses
1155* Added new flag `--viz-namespace` which avoids requiring permissions for
1156 listing all namespaces in `linkerd viz` subcommands (thanks @danibaeyens!)
1157* Among other dependency updates, the no-longer maintained ghodss/yaml library
1158 was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)
1159
1160## edge-23.3.3
1161
1162This edge release removes TrafficSplits from the Linkerd dashboard as well as
1163fixing a number of issues in the policy controller.
1164
1165* Removed the TrafficSplit page from the Linkerd viz dashboard
1166* Fixed an issue where the policy controller was not returning the correct
1167 status for non-Service authorities
1168* Fixed an issue where the policy controller could use large amounts of CPU
1169 when lease API calls failed
1170
1171## edge-23.3.2
1172
1173This edge release continues to improve dynamic Policy statuses and
1174introduces support for header-based routing.
1175
1176* Destination Controller
1177 * Added OutboundPolicies API, for use by `linkerd-proxy` to route
1178 outbound traffic
1179 * Improved diagnostic log messages
1180 * Fixed sending of spurious profile updates
1181
1182* Proxy
1183 * Use the new OutboundPolicies API, supporting Gateway API-style routes
1184 in the outbound proxy
1185
1186* Policy Controller
1187 * Support highly available Policy Controller by utilizing
1188 `policy-controller-write` Lease when patching HTTPRoutes
1189 * Consider the `status` field and filter out HTTPRoutes which have not
1190 been accepted
1191
1192* Added KubeAPI server ports to `ignoreOutboundPorts` of `proxy-injector`
1193* Updated HTTPRoute version from `v1alpha1` to `v1beta2`
1194* Updated `network-validator` helm charts to use `proxy-init` resources
1195* Fixed Grafana regular expression, enabling monitoring of filesystem
1196 usage (thanks @h-dav!)
1197
1198## edge-23.3.1
1199
1200This edge release continues to build support under the hood for the upcoming
1201features in 2.13. Also included are several dependency updates and less verbose
1202logging.
1203
1204* Removed dependency on the `curlimages/curl` 3rd-party image used to initialize
1205 extensions namespaces metadata (so they are visible by `linkerd check`),
1206 replaced by the new `extension-init` image
1207* Lowered non-actionable error messages in the Destination log to debug-level
1208 entries to avoid triggering false alarms (thanks @siddharthshubhampal!)
1209
1210## edge-23.2.3
1211
1212This edge release includes a number of fixes and introduces a new CLI command,
1213`linkerd prune`. The new `prune` command should be used to remove resources
1214which are no longer part of the Linkerd manifest when doing an upgrade.
1215Previously, the recommendation was to use `linkerd upgrade` in conjunction with
1216`kubectl apply --prune`, however, that will not remove resources which are not
1217part of the input manifest, and it will not detect cluster scoped resources,
1218`linkerd prune` (included in all core extensions) should be preferred over it.
1219
1220Additionally, this change contains a few fixes from our external contributors,
1221and a change to the `viz` Helm chart which allows for arbitrary annotations on
1222`Service` objects. Last but not least, the release contains a few proxy
1223internal changes to prepare for the new client policy API.
1224
1225* Added a new `linkerd prune` command to the CLI (including extensions) to
1226 remove resources which are no longer part of Linkerd's manifests
1227* Introduced new values in the `viz` chart to allow for arbitrary annotations
1228 on the `Service` objects (thanks @sgrzemski!)
1229* Fixed up a comment in k8s API wrapper (thanks @ductnn!)
1230* Fixed an issue with EndpointSlice endpoint reconciliation on slice deletion;
1231 when using more than one slice, a `NoEndpoints` event would be sent to the
1232 proxy regardless of the amount of endpoints that were still available (thanks
1233 @utay!)
1234
1235## edge-23.2.2
1236
1237This edge release adds the policy status controller which writes the `status`
1238field to HTTPRoutes when a parent reference Server accepts or rejects the
1239HTTPRoute. This field is currently not consumed by the policy controller, but
1240acts as the first step for considering HTTPRoute `status` when serving policy.
1241
1242Additionally, the destination controller now uses the Kubernetes metadata API
1243for resources which it only needs to track the metadata for — Nodes and
1244ReplicaSets. For all other resources it tracks, it uses additional information
1245so continues to use the API as before.
1246
1247* Fixed error message to include the colliding Server in the policy controller's
1248 admission webhook validation
1249* Updated wording for linkerd-multicluster cluster when it fails to probe a
1250 remote gateway mirror
1251* Removed unnecessary Namespaces access from the destination controller RBAC
1252* Added Kubernetes metadata API in the destination controller for watching Nodes
1253 and ReplicaSets
1254* Fixed QueryParamMatch parsing for HTTPRoutes
1255* Added the policy status controller which writes the `status` field to
1256 HTTPRoutes when a parent reference Server accepts or rejects it
1257
1258## edge-23.2.1
1259
1260This edge release sees the `linkerd-cni` plugin moved to
1261`linkerd2-proxy-init` and released from that repository. An iptables
1262improvement to `linkerd-cni` and `proxy-init` is the main focus. Other
1263minor fixes are also included.
1264
1265* Changed `proxy-init` iptables rules to be idempotent upon init pod
1266 restart (thanks @jim-minter!)
1267* Improved logging in `proxy-init` and `linkerd-cni`
1268* Added the server_port_subscribers metric to track the number of subscribers
1269 to Server changes associated with a pod's port
1270* Added the service_subscribers metric to track the number of subscribers to
1271 Service changes
1272* Fixed a small memory leak in the opaque ports watcher
1273* No longer apply `waitBeforeExitSeconds` to control plane, viz and jaeger
1274 extension pods
1275* Added support for the `internalTrafficPolicy` of a service (thanks @yc185050!)
1276* Added `limits` and `requests` to network-validator for ResourceQuota interop
1277* Added block chomping to strip trailing new lines in ConfigMap (thanks @avdicl!)
1278* Added multicluster gateway `nodeSelector` and `tolerations` helm parameters
1279* Added protection against nil dereference in resources helm template
1280
1281## edge-23.1.2
1282
1283This edge release fixes a memory leak in the Linkerd control plane that could
1284occur when many many pods were created. It also adds a number of new
1285configuration options Multicluster extension's gateway.
1286
1287* Added additional shortnames for Linkerd policy resources (thanks @javaducky!)
1288* Added new configuration options for the multicluster gateway:
1289 * `gateway.deploymentAnnotations`
1290 * `gateway.terminationGracePeriodSeconds` (thanks @bunnybilou!)
1291 * `gateway.loadBalancerSourceRanges` (thanks @Tyrion85!)
1292* Added an optional AuthorizationPolicy to authorize Grafana to Prometheus
1293 in the Viz extension
1294* Fixed the link to the Jaeger dashboard the in viz dashboard (thanks @eugenegoncharuk!)
1295* Fixed an issue where control plane components could fail to start on large
1296 clusters because of failing readiness probes while caches were being
1297 initialized
1298* Fixed a memory leak in the Destination controller
1299* Fixed an issue where PodSecurityPolicies could reject Linkerd control plane
1300 components due to the `seccompProfile`
1301
1302## edge-23.1.1
1303
1304This edge release fixes a caching issue in the destination controller, converts
1305deprecated policy resources, and introduces several changes to how the proxy
1306works.
1307
1308A bug in the destination controller that could potentially lead to stale pods
1309being considered in the load balancer has been fixed.
1310
1311Several Linkerd extensions were still using the now deprecated
1312ServerAuthorization resource. These instances have now been converted to using
1313AuthorizationPolicy. Additionally, removed several policy resources that
1314authenticated probes, since probes are now authenticated by default.
1315
1316As part of ongoing policy work, there are several changes with how the proxy
1317works. Routes are now lazily initialized so that service profile routes will
1318not show up in metrics until the route is used. Furthermore, the proxy’s
1319traffic splitting behavior has changed so that only available resources are
1320used, resulting in less failfast errors.
1321
1322Finally, this edge release contains a number of fixes and improvements from our
1323contributors.
1324
1325* Converted `ServerAuthorization` resources to `AuthorizationPolicy` resources
1326 in Linkerd extensions
1327* Removed policy resources bound to admin servers in extensions (previously
1328 these resources were used to authorize probes but now are authorized by
1329 default)
1330* Added a `resources` field in the linkerd-cni chart (thanks @jcogilvie!)
1331* Fixed an issue in the CLI where `--identity-external-ca` would set an
1332 incorrect field (thanks @anoxape!)
1333* Fixed an issue in the destination controller's cache that could result in
1334 stale endpoints when using EndpointSlice objects
1335* Added namespace to namespace-metadata resources in Helm (thanks @joebowbeer!)
1336* Added support for Pod Security Admission (Pod Security Policy resources are
1337 still supported but disabled by default)
1338* Changed routes to be initialized lazily. Service Profile routes will no
1339 longer show up in metrics until the route is used (default routes are always
1340 available when no Service Profile is defined for a service)
1341* Changed the proxy's behavior when traffic splitting so that only services
1342 that are not in failfast are used. This will enable the proxy to manage
1343 failover without external coordination
1344* Updated tokio (async runtime) in the proxy which should reduce CPU usage,
1345 especially for proxy's pod local (i.e in the same network namespace)
1346 communication
1347* Fixed an issue where `linkerd viz tap` would display wrong latency/duration
1348 value (thanks @olegy2008!)
1349
1350## edge-22.12.1
1351
1352This edge release introduces static and dynamic port overrides for CNI eBPF
1353socket-level load balancing. In certain installations when CNI plugins run in
1354eBPF mode, socket-level load balancing rewrites packet destinations to port
13556443; as with 443 already, this port is now skipped as well on control plane
1356components so that they can communicate with the Kubernetes API before their
1357proxies are running.
1358
1359Additionally, a potential panic and false warning have been fixed in the
1360destination controller.
1361
1362* Updated linkerd-jaeger's collector to expose port 4318 in order support HTTP
1363 alongside gRPC (thanks @uralsemih!)
1364* Added a `proxyInit.privileged` setting to control whether the `proxy-init`
1365 initContainer runs as a privileged process
1366* Fixed a potential panic in the destination controller caused by concurrent
1367 writes when dealing with Endpoint updates
1368* Fixed false warning when looking up HostPort mappings on Pods
1369* Added static and dynamic port overrides for CNI eBPF to work with socket-level
1370 load balancing
1371
1372## edge-22.11.3
1373
1374This edge release fixes connection errors to pods that use `hostPort`
1375configurations. The CNI `network-validator` init container features
1376improved error logging, and the default `linkerd-cni` DaemonSet
1377configuration is updated to tolerate all node taints so that the CNI
1378runs on all nodes in a cluster.
1379
1380* Fixed `destination` service to properly discover targets using a `hostPort`
1381 different than their `containerPort`, which was causing 502 errors
1382* Upgraded the `network-validator` with better logging allowing users to
1383 determine whether failures occur as a result of their environment or the tool
1384 itself
1385* Added default `Exists` toleration to the `linkerd-cni` DaemonSet, allowing it
1386 to be deployed in all nodes by default, regardless of taints
1387
1388## edge-22.11.2
1389
1390This edge release introduces the use of the Kubernetes metadata API in the
1391proxy-injector and tap-injector components. This can reduce the IO and memory
1392footprint for those components as they now only need to track the metadata for
1393certain resources, rather than the entire resource itself. Similar changes will
1394be made for the destination component in an upcoming release.
1395
1396* Bumped HTTP dependencies to fix a potential deadlock in HTTP/2 clients
1397* Changed the proxy-injector and tap-injector components to use the metadata API
1398 which should result in less memory consumption
1399
1400## edge-22.11.1
1401
1402This edge releases ships a few fixes in Linkerd's dashboard, and the
1403multicluster extension. Additionally, a regression has been fixed in the CLI
1404that blocked upgrades from versions older than 2.12.0, due to missing CRDs
1405(even if the CRDs were present in-cluster). Finally, the release includes
1406changes to the helm charts to allow for arbitrary (user-provided) labels on
1407Linkerd workloads.
1408
1409* Fixed an issue in the CLI where upgrades from any version prior to
1410 stable-2.12.0 would fail when using the `--from-manifest` flag
1411* Removed un-injectable namespaces, such as kube-system from unmeshed resource
1412 notification in the dashboard (thanks @MoSattler!)
1413* Fixed an issue where the dashboard would respond to requests with 404 due to
1414 wrong root paths in the HTML script (thanks @junnplus!)
1415* Removed the proxyProtocol field in the multicluster gateway policy; this has
1416 the effect of changing the protocol from 'HTTP/1.1' to 'unknown' (thanks
1417 @psmit!)
1418* Fixed the multicluster gateway UID when installing through the CLI, prior to
1419 this change the 'runAsUser' field would be empty
1420* Changed the helm chart for the control plane and all extensions to support
1421 arbitrary labels on resources (thanks @bastienbosser!)
1422
1423## edge-22.10.3
1424
1425This edge release adds `network-validator`, a new init container to be used when
1426CNI is enabled. `network-validator` ensures that local iptables rules are
1427working as expected. It will validate this before linkerd-proxy starts.
1428`network-validator` replaces the `noop` container, runs as `nobody`, and drops
1429all capabilities before starting.
1430
1431* Validate CNI `iptables` configuration during pod startup
1432* Fix "cluster networks contains all services" fails with services with no
1433 ClusterIP
1434* Remove kubectl version check from `linkerd check` (thanks @ziollek!)
1435* Set `readOnlyRootFilesystem: true` in viz chart (thanks @mikutas!)
1436* Fix `linkerd multicluster install` by re-adding `pause` container image
1437 in chart
1438* linkerd-viz have hardcoded image value in namespace-metadata.yml template
1439 bug correction (thanks @bastienbosser!)
1440
1441## edge-22.10.2
1442
1443This edge release fixes an issue with CNI chaining that was preventing the
1444Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also
1445includes several other fixes.
1446
1447* Updated Grafana dashboards to use variable duration parameter so that they can
1448 be used when Prometheus has a longer scrape interval (thanks @TarekAS)
1449* Fixed handling of .conf files in the CNI plugin so that the Linkerd CNI plugin
1450 can be used alongside other CNI plugins such as Cilium
1451* Added a `linkerd diagnostics policy` command to inspect Linkerd policy state
1452* Added a check that ClusterIP services are in the cluster networks
1453* Added a noop init container to injected pods when the CNI plugin is enabled
1454 to prevent certain scenarios where a pod can get stuck without an IP address
1455* Fixed a bug where the`config.linkerd.io/proxy-version` annotation could be empty
1456
1457## edge-22.10.1
1458
1459This edge release fixes some sections of the Viz dashboard appearing blank, and
1460adds an optional PodMonitor resource to the Helm chart to enable easier
1461integration with the Prometheus Operator. It also includes many fixes submitted
1462by our contributors.
1463
1464* Fixed the dashboard sections Tap, Top, and Routes appearing blank (thanks
1465 @MoSattler!)
1466* Added an optional PodMonitor resource to the main Helm chart (thanks
1467 @jaygridley!)
1468* Fixed the CLI ignoring the `--api-addr` flag (thanks @mikutas!)
1469* Expanded the `linkerd authz` command to display AuthorizationPolicy resources
1470 that target namespaces (thanks @aatarasoff!)
1471* Fixed the `NotIn` label selector operator in the policy resources, being
1472 erroneously treated as `In`.
1473* Fixed warning logic around the "linkerd-viz ClusterRoles exist" and
1474 "linkerd-viz ClusterRoleBindings exist" checks in `linkerd viz check`
1475* Fixed proxies emitting some duplicate inbound metrics
1476
1477## stable-2.12.1
1478
1479This release includes several control plane and proxy fixes for `stable-2.12.0`.
1480In particular, it fixes issues related to control plane HTTP servers' header
1481read timeouts resulting in decreased controller success rates, lowers the
1482inbound connection pool idle timeout in the proxy, and fixes an issue where the
1483jaeger injector would put pods into an error state when upgrading from
1484stable-2.11.x.
1485
1486Additionally, this release adds the `linkerd.io/trust-root-sha256` annotation to
1487all injected workloads allowing predictable comparison of all workloads' trust
1488anchors via the Kubernetes API.
1489
1490For Windows users, note that the Linkerd CLI's `nupkg` file for Chocolatey is
1491once again included in the release assets (it was previously removed in
1492stable-2.10.0).
1493
1494* Proxy
1495 * Lowered inbound connection pool idle timeout to 3s
1496
1497* Control Plane
1498 * Updated AdmissionRegistration API version usage to v1
1499 * Added `linkerd.io/trust-root-sha256` annotation on all injected workloads
1500 to indicate certifcate bundle
1501 * Updated fields in `AuthorizationPolicy` and `MeshTLSAuthentication` to
1502 conform to specification (thanks @aatarasoff!)
1503 * Updated the identity controller to not require a `ClusterRoleBinding`
1504 to read all deployment resources
1505 * Increased servers' header read timeouts so they no longer match default
1506 probe and Prometheus scrape intervals
1507
1508* Helm
1509 * Restored `namespace` field in Linkerd helm charts
1510 * Updated `PodDisruptionBudget` `apiVersion` from `policy/v1beta1` to
1511 `policy/v1` (thanks @Vrx555!)
1512
1513* Extensions
1514 * Fixed jaeger injector interfering with upgrades to 2.12.x
1515
1516## edge-22.9.2
1517
1518This release fixes an issue where the jaeger injector would put pods into an
1519error state when upgrading from stable-2.11.x.
1520
1521* Updated AdmissionRegistration API version usage to v1
1522* Fixed jaeger injector interfering with upgrades to 2.12.x
1523
1524## edge-22.9.1
1525
1526This release adds the `linkerd.io/trust-root-sha256` annotation to all injected
1527workloads allowing predictable comparison of all workloads' trust anchors via
1528the Kubernetes API.
1529
1530Additionally, this release lowers the inbound connection pool idle timeout to
15313s. This should help avoid socket errors, especially for Kubernetes probes.
1532
1533* Added `linkerd.io/trust-root-sha256` annotation on all injected workloads
1534 to indicate certifcate bundle
1535* Lowered inbound connection pool idle timeout to 3s
1536* Restored `namespace` field in Linkerd helm charts
1537* Updated fields in `AuthorizationPolicy` and `MeshTLSAuthentication` to
1538 conform to specification (thanks @aatarasoff!)
1539* Updated the identity controller to not require a `ClusterRoleBinding`
1540 to read all deployment resources.
1541
1542## edge-22.8.3
1543
1544Increased control plane HTTP servers' read timeouts so that they no longer
1545match the default probe intervals. This was leading to closed connections
1546and decreased controller success rate.
1547
1548## stable-2.12.0
1549
1550This release introduces route-based policy to Linkerd, allowing users to define
1551and enforce authorization policies based on HTTP routes in a fully zero-trust
1552way. These policies are built on Linkerd's strong workload identities, secured
1553by mutual TLS, and configured using types from the Kubernetes [Gateway
1554API](https://gateway-api.sigs.k8s.io/).
1555
1556The 2.12 release also introduces optional request logging ("access logging"
1557after its name in webservers), optional support for `iptables-nft`, and a host
1558of other improvements and performance enhancements.
1559
1560Additionally, the `linkerd-smi` extension is now required to use TrafficSplit,
1561and the installation process has been updated to separate management of the
1562Linkerd CRDs from the main installation process. With the CLI, you'll need to
1563`linkerd install --crds` before running `linkerd install`; with Helm, you'll
1564install the new `linkerd-crds` chart, then the `linkerd-control-plane` chart.
1565These charts are now versioned using [SemVer](https://semver.org) independently
1566of Linkerd releases. For more information, see the [upgrade
1567notes][upgrade-2120].
1568
1569**Upgrade notes**: Please see the [upgrade instructions][upgrade-2120].
1570
1571* Proxy
1572 * Added a `config.linkerd.io/shutdown-grace-period` annotation to limit the
1573 duration that the proxy may wait for graceful shutdown
1574 * Added a `config.linkerd.io/access-log` annotation to enable logging of
1575 workload requests
1576 * Added a new `iptables-nft` mode for the `proxy-init` initContainer
1577 * Added support for non-HTTP traffic forwarding within the mesh in `ingress`
1578 mode
1579 * Added the `/env.json` log diagnostic endpoint
1580 * Added a new `process_uptime_seconds_total` metric to track proxy uptime in
1581 seconds
1582 * Added support for dynamically discovering policies for ports that are not
1583 documented in a pod's `containerPorts`
1584 * Added support for route-based inbound HTTP metrics
1585 (`route_group`/`route_kind`/`route_name`)
1586 * Added a new annotation to configure skipping subnets in the init container
1587 (`config.linkerd.io/skip-subnets`), needed e.g. in Docker-in-Docker
1588 workloads (thanks @michaellzc!)
1589
1590* Control Plane
1591 * Added support for per-route policy by supporting AuthorizationPolicy
1592 resources which can target HttpRoute or Server resources
1593 * Added support for bound service account token volumes for the control plane
1594 and injected workloads
1595 * Removed kube-system exclusions from watchers to fix service discovery for
1596 workloads in the kube-system namespace (thanks @JacobHenner!)
1597 * Updated healthcheck to ignore `Terminated` state for pods (thanks
1598 @AgrimPrasad!)
1599 * Updated the default policy controller log level to `info`; the controller
1600 will now emit INFO level logs for some of its dependencies
1601 * Added probe authorization by default, allowing clusters that use a default
1602 `deny` policy to not explicitly need to authorize probes
1603 * Fixed an issue where the proxy-injector would break when using
1604 `nodeAffinity` values for the control plane
1605 * Fixed an issue where certain control plane components were not restarting as
1606 necessary after a trust root rotation
1607 * Removed SMI functionality in the default Linkerd installation; this is now
1608 part of the `linkerd-smi` extension
1609
1610* CLI
1611 * Fixed the `linkerd check` command crashing when unexpected pods are found in
1612 a Linkerd namespace
1613 * Updated the `linkerd authz` command to support AuthorizationPolicy and
1614 HttpRoute resources
1615 * Updated `linkerd check` to allow RSA signed trust anchors (thanks
1616 @danibaeyens!)
1617 * `linkerd install --crds` must be run before `linkerd install`
1618 * `linkerd upgrade --crds` must be run before `linkerd upgrade`
1619 * Fixed invalid yaml syntax in the viz extension's tap-injector template
1620 (thanks @wc-s!)
1621 * Fixed an issue where the `--default-inbound-policy` setting was not being
1622 respected
1623 * Added support for AuthorizationPolicy and HttpRoute to `viz authz` command
1624 * Added support for AuthorizationPolicy and HttpRoute to `viz stat` command
1625 * Added support for policy metadata in `linkerd viz tap`
1626
1627* Helm
1628 * Split the `linkerd2` chart into `linkerd-crds` and `linkerd-control-plane`
1629 * Charts are now versioned using [SemVer](https://semver.org) independently of
1630 Linkerd releases
1631 * Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)
1632 * Changed the `proxy.await` Helm value so that users can now disable
1633 `linkerd-await` on control plane components
1634 * Added the `policyController.probeNetworks` Helm value for configuring the
1635 networks that probes are expected to be performed from
1636
1637* Extensions
1638 * Added annotations to allow Linkerd extension deployments to be evicted by
1639 the autoscaler when necessary
1640 * Added ability to run the Linkerd CNI plugin in non-chained (stand-alone)
1641 mode
1642 * Added a ServiceAccount token Secret to the multicluster extension to support
1643 Kubernetes versions >= v1.24
1644
1645This release includes changes from a massive list of contributors, including
1646engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and
1647others. A special thank-you to everyone who helped make this release possible:
1648
1649Agrim Prasad [@AgrimPrasad](https://github.com/AgrimPrasad)
1650Ahmed Al-Hulaibi [@ahmedalhulaibi](https://github.com/ahmedalhulaibi)
1651Aleksandr Tarasov [@aatarasoff](https://github.com/aatarasoff)
1652Alexander Berger [@alex-berger](https://github.com/alex-berger)
1653Ao Chen [@chenaoxd](https://github.com/chenaoxd)
1654Badis Merabet [@badis](https://github.com/badis)
1655Bjørn [@Crevil](https://github.com/Crevil)
1656Brian Dunnigan [@bdun1013](https://github.com/bdun1013)
1657Christian Schlotter [@chrischdi](https://github.com/chrischdi)
1658Dani Baeyens [@danibaeyens](https://github.com/danibaeyens)
1659David Symons [@multimac](https://github.com/multimac)
1660Dmitrii Ermakov [@ErmakovDmitriy](https://github.com/ErmakovDmitriy)
1661Elvin Efendi [@ElvinEfendi](https://github.com/ElvinEfendi)
1662Evan Hines [@evan-hines-firebolt](https://github.com/evan-hines-firebolt)
1663Eng Zer Jun [@Juneezee](https://github.com/Juneezee)
1664Gustavo Fernandes de Carvalho [@gusfcarvalho](https://github.com/gusfcarvalho)
1665Harry Walter [@haswalt](https://github.com/haswalt)
1666Israel Miller [@imiller31](https://github.com/imiller31)
1667Jack Gill [@jackgill](https://github.com/jackgill)
1668Jacob Henner [@JacobHenner](https://github.com/JacobHenner)
1669Jacob Lorenzen [@Jaxwood](https://github.com/Jaxwood)
1670Joakim Roubert [@joakimr-axis](https://github.com/joakimr-axis)
1671Josh Ault [@jault-figure](https://github.com/jault-figure)
1672João Soares [@jasoares](https://github.com/jasoares)
1673jtcarnes [@jtcarnes](https://github.com/jtcarnes)
1674Kim Christensen [@kichristensen](https://github.com/kichristensen)
1675Krzysztof Dryś [@krzysztofdrys](https://github.com/krzysztofdrys)
1676Lior Yantovski [@lioryantov](https://github.com/lioryantov)
1677Martin Anker Have [@mahlunar](https://github.com/mahlunar)
1678Michael Lin [@michaellzc](https://github.com/michaellzc)
1679Michał Romanowski [@michalrom089](https://github.com/michalrom089)
1680Naveen Nalam [@nnalam](https://github.com/nnalam)
1681Nick Calibey [@ncalibey](https://github.com/ncalibey)
1682Nikola Brdaroski [@nikolabrdaroski](https://github.com/nikolabrdaroski)
1683Or Shachar [@or-shachar](https://github.com/or-shachar)
1684Pål-Magnus Slåtto [@dev-slatto](https://github.com/dev-slatto)
1685Raman Gupta [@rocketraman](https://github.com/rocketraman)
1686Ricardo Gândara Pinto [@rmgpinto](https://github.com/rmgpinto)
1687Roberth Strand [@roberthstrand](https://github.com/roberthstrand)
1688Sankalp Rangare [@sankalp-r](https://github.com/sankalp-r)
1689Sascha Grunert [@saschagrunert](https://github.com/saschagrunert)
1690Steve Gray [@steve-gray](https://github.com/steve-gray)
1691Steve Zhang [@zhlsunshine](https://github.com/zhlsunshine)
1692Takumi Sue [@mikutas](https://github.com/mikutas)
1693Tanmay Bhat [@tanmay-bhat](https://github.com/tanmay-bhat)
1694Táskai Dominik [@dtaskai](https://github.com/dtaskai)
1695Ujjwal Goyal [@importhuman](https://github.com/importhuman)
1696Weichung Shaw [@wc-s](https://github.com/wc-s)
1697Wim de Groot [@wim-de-groot](https://github.com/wim-de-groot)
1698Yannick Utard [@utay](https://github.com/utay)
1699Yurii Dzobak [@yuriydzobak](https://github.com/yuriydzobak)
1700罗泽轩 [@spacewander](https://github.com/spacewander)
1701
1702[upgrade-2120]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2120
1703
1704## stable-2.12.0-rc2
1705
1706This release is the second release candidate for stable-2.12.0.
1707
1708At this point the Helm charts can be retrieved from the stable repo:
1709
1710```sh
1711helm repo add linkerd https://helm.linkerd.io/stable
1712helm repo up
1713helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
1714helm install linkerd-control-plane \
1715 -n linkerd \
1716 --set-file identityTrustAnchorsPEM=ca.crt \
1717 --set-file identity.issuer.tls.crtPEM=issuer.crt \
1718 --set-file identity.issuer.tls.keyPEM=issuer.key \
1719 linkerd/linkerd-control-plane
1720```
1721
1722The following lists all the changes since edge-22.8.2:
1723
1724* Fixed inheritance of the `linkerd.io/inject` annotation from Namespace to
1725 Workloads when its value is `ingress`
1726* Added the `config.linkerd.io/default-inbound-policy: all-authenticated`
1727 annotation to linkerd-multicluster’s Gateway deployment so that all clients
1728 are required to be authenticated
1729* Added a `ReadHeaderTimeout` of 10s to all the go `http.Server` instances, to
1730 avoid being vulnerable to "slowrolis" attacks
1731* Added check in `linkerd viz check --proxy` to warn in case namespace have the
1732 `config.linkerd.io/default-inbound-policy: deny` annotation, which would not
1733 authorize scrapes coming from the linkerd-viz Prometheus instance
1734* Added validation for accepted values for the `--default-inbound-policy` flag
1735* Fixed invalid URL in the `linkerd install --help` output
1736* Added `--destination-pod` flag to `linkerd diagnostics endpoints` subcommand
1737* Added `proxyInit.runAsUser` in `values.yaml` defaulting to non-zero, to
1738 complement the new default `proxyInit.runAsRoot: false` that was rencently
1739 changed
1740
1741## edge-22.8.2
1742
1743This release is considered a release candidate for stable-2.12.0 and we
1744encourage you to try it out! It includes an update to the multicluster extension
1745which adds support for Kubernetes v1.24 and also updates many CLI commands to
1746support the new policy resources: ServerAuthorization and HTTPRoute.
1747
1748* Updated linkerd check to allow RSA signed trust anchors (thanks @danibaeyens!)
1749* Fixed some invalid yaml in the viz extension's tap-injector template (thanks @wc-s!)
1750* Added support for AuthorizationPolicy and HttpRoute to viz authz command
1751* Added support for AuthorizationPolicy and HttpRoute to viz stat
1752* Added support for policy metadata in linkerd tap
1753* Fixed an issue where certain control plane components were not restarting as
1754 necessary after a trust root rotation
1755* Added a ServiceAccount token Secret to the multicluster extension to support
1756 Kubernetes versions >= v1.24
1757* Fixed an issue where the --default-inbound-policy setting was not being
1758 respected
1759
1760## edge-22.8.1
1761
1762This releases introduces default probe authorization. This means that on
1763clusters that use a default `deny` policy, probes do not have to be explicitly
1764authorized using policy resources. Additionally, the
1765`policyController.probeNetworks` Helm value has been added, which allows users
1766to configure the networks that probes are expected to be performed from.
1767
1768Additionally, the `linkerd authz` command has been updated to support the policy
1769resources AuthorizationPolicy and HttpRoute.
1770
1771Finally, some smaller changes include allowing to disable `linkerd-await` on
1772control plane components (using the existing `proxy.await` configuration) and
1773changing the default iptables mode back to `legacy` to support more cluster
1774environments by default.
1775
1776* Updated the `linkerd authz` command to support AuthorizationPolicy and
1777 HttpRoute resources
1778* Changed the `proxy.await` Helm value so that users can now disable
1779 `linkerd-await` on control plane components
1780* Added probe authorization by default allowing clusters that use a default
1781 `deny` policy to not explicitly need to authorize probes
1782* Added ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode
1783* Added the `policyController.probeNetworks` Helm value for configuring the
1784 networks that probes are expected to be performed from
1785* Changed the default iptables mode to `legacy`
1786
1787## edge-22.7.3
1788
1789This release adds a new `nft` iptables mode, used by default in proxy-init.
1790When used, firewall configuration will be set-up through the `iptables-nft`
1791binary; this should allow hosts that do not support `iptables-legacy` (such as
1792RHEL based environments) to make use of the init container. The older
1793`iptables-legacy` mode is still supported, but it must be explictly turned on.
1794Moreover, this release also replaces the `HTTPRoute` CRD with Linkerd's own
1795version, and includes a number of fixes and improvements.
1796
1797* Added a new `iptables-nft` mode for proxy-init. When running in this mode,
1798 the firewall will be configured with `nft` kernel API; this should allow
1799 users to run the init container on RHEL-family hosts
1800* Fixed an issue where the proxy-injector would break when using `nodeAffinity`
1801 values for the control plane
1802* Updated healthcheck to ignore `Terminated` state for pods (thanks
1803 @AgrimPrasad!)
1804* Replaced `HTTRoute` CRD version from `gateway.networking.k8s.io` with a
1805 similar version from the `policy.linkerd.io` API group. While the CRD is
1806 similar, it does not support the `Gateway` type, does not contain the
1807 `backendRefs` fields, and does not support `RequestMirror` and `ExtensionRef`
1808 filter types.
1809* Updated the default policy controller log level to `info`; the controller
1810 will now emit INFO level logs for some of its dependencies
1811* Added validation to ensure `HTTPRoute` paths are absolute; relative paths are
1812 not supported by the proxy and the policy controller admission server will
1813 reject any routes that use paths which do not start with `/`
1814
1815## edge-22.7.2
1816
1817This release adds support for per-route authorization policy using the
1818AuthorizationPolicy and HttpRoute resources. It also adds a configurable
1819shutdown grace period to the proxy which can be used to ensure that proxy
1820graceful shutdown completes within a certain time, even if there are outstanding
1821open connections.
1822
1823* Removed kube-system exclusions from watchers to fix service discovery for
1824 workloads in the kube-system namespace (thanks @JacobHenner!)
1825* Added annotations to allow Linkerd extension deployments to be evicted by the
1826 autoscaler when necessary
1827* Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)
1828* Added support for per-route policy by supporting AuthorizationPolicy resources
1829 which target HttpRoute resources
1830* Fixed the `linkerd check` command crashing when unexpected pods are found in
1831 a Linkerd namespace
1832* Added a `config.linkerd.io/shutdown-grace-period` annotation to configure the
1833 proxy's maximum grace period for graceful shutdown
1834
1835## edge-22.7.1
1836
1837This release includes a security improvement. When a user manually specified the
1838`policyValidator.keyPEM` setting, the value was incorrectly included in the
1839`linkerd-config` configmap. This means that this private key was erroneously
1840exposed to service accounts with read access to this configmap. Practically,
1841this means that the Linkerd `proxy-injector`, `identity`, and `heartbeat` pods
1842could read this value. This should **not** have exposed this private key to
1843other unauthorized users unless additional role bindings were added outside of
1844Linkerd. Nevertheless, we recommend that users who manually set control plane
1845certificates update the credentials for the policy validator after upgrading
1846Linkerd.
1847
1848Additionally, the linkerd-multicluster extensions has several fixes related to
1849fail fast errors during link watch restarts, improper label matching for
1850mirrored services, and properly cleaning up mirrored endpoints in certain
1851situations.
1852
1853Lastly, the proxy can now retry gRPC requests that have responses with a
1854TRAILERS frame. A fix to reduce redundant load balancer updates should also
1855result in less connection churn.
1856
1857* Changed unit tests to use newly introduced `prommatch` package for asserting
1858 expected metrics (thanks @krzysztofdrys!)
1859* Fixed Docker container runtime check to only during `linkerd install` rather
1860 than `linkerd check --pre`
1861* Changed linkerd-multicluster's remote cluster watcher to assume the gateway is
1862 alive when starting—fixing fail fast errors from occurring during restarts
1863 (thanks @chenaoxd!)
1864* Added `matchLabels` and `matchExpressions` to linkerd-multicluster's Link CRD
1865* Fixed linkerd-multicluster's label selector to properly select resources that
1866 match the expected label value, rather than just the presence of the label
1867* Fixed linkerd-multicluster's cluster watcher to properly clean up endpoints
1868 belonging to remote headless services that are no longer mirrored
1869* Added the HttpRoute CRD which will be used by future policy features
1870* Fixed CNI plugin event processing where file updates could sometimes be
1871 skipped leading to the update not being acknowledged
1872* Fixed redundant load balancer updates in the proxy that could cause
1873 unnecessary connection churn
1874* Fixed gRPC request retries for responses that contain a TRAILERS frame
1875* Fixed the dashboard's `linkerd check` due to missing RBAC for listing pods in
1876 the cluster
1877* Fixed API check that ensures access to the Server CRD (thanks @aatarasoff!)
1878* Changed `linkerd authz` to match the labels of pre-fetched Pods rather than
1879 the multiple API calls it was doing—resulting in significant speed-up (thanks
1880 @aatarasoff!)
1881* Unset `policyValidtor.keyPEM` in `linkerd-config` ConfigMap
1882
1883## edge-22.6.2
1884
1885This edge release bumps the minimum supported Kubernetes version from `v1.20`
1886to `v1.21`, introduces some new changes, and includes a few bug fixes. Most
1887notably, a bug has been fixed in the proxy's outbound load balancer that could
1888cause panics, especially when the balancer would process many service discovery
1889updates in a short period of time. This release also fixes a panic in the
1890proxy-injector, and introduces a change that will include HTTP probe ports in
1891the proxy's inbound ports configuration, to be used for policy discovery.
1892
1893* Fixed a bug in the proxy's outbound load balancer that could cause panics
1894 when many discovery updates were processed in short time periods
1895* Added `runtimeClassName` options to Linkerd's Helm chart (thanks @jtcarnes!)
1896* Introduced a change in the proxy-injector that will configure the inbound
1897 ports proxy configuration with the pod's probe ports (HTTPGet)
1898* Added godoc links in the project README file (thanks @spacewander!)
1899* Increased minimum supported Kubernetes version to `v1.21` from `v1.20`
1900* Fixed an issue where the proxy-injector would not emit events for resources
1901 that receive annotation patches but are skipped for injection
1902* Refactored `PublicIPToString` to handle both IPv4 and IPv6 addresses in a
1903 similar behavior (thanks @zhlsunshine!)
1904* Replaced the usage of branch with tags, and pinned `cosign-installer` action
1905 to `v1` (thanks @saschagrunert!)
1906* Fixed an issue where the proxy-injector would panic if resources have an
1907 unsupported owner kind
1908
1909## edge-22.6.1
1910
1911This edge release fixes an issue where Linkerd injected pods could not be
1912evicted by Cluster Autoscaler. It also adds the `--crds` flag to `linkerd check`
1913which validates that the Linkerd CRDs have been installed with the proper
1914versions.
1915
1916The previously noisy "cluster networks can be verified" check has been replaced
1917with one that now verifies each running Pod IP is contained within the current
1918`clusterNetworks` configuration value.
1919
1920Additionally, linkerd-viz is no longer required for linkerd-multicluster's
1921`gateways` command — allowing the `Gateways` API to marked as deprecated for
19222.12.
1923
1924Finally, several security issues have been patched in the Docker images now that
1925the builds are pinned only to minor — rather than patch — versions.
1926
1927* Replaced manual IP address parsing with functions available in the Go standard
1928 library (thanks @zhlsunshine!)
1929* Removed linkerd-multicluster's `gateway` command dependency on the linkerd-viz
1930 extension
1931* Fixed issue where Linkerd injected pods were prevented from being evicted by
1932 Cluster Autoscaler
1933* Added the `dst_target_cluster` metric to linkerd-multicluster's service-mirror
1934 controller probe traffic
1935* Added the `--crds` flag to `linkerd check` which validates that the Linkerd
1936 CRDs have been installed
1937* Removed the Docker image's hardcoded patch versions so that builds pick up
1938 patch releases without manual intervention
1939* Replaced the "cluster networks can be verified check" check with a "cluster
1940 networks contains all pods" check which ensures that all currently running Pod
1941 IPs are contained by the current `clusterNetworks` configuration
1942* Added IPv6 compatible IP address generation in certain control plane
1943 components that were only generating IPv4 (thanks @zhlsunshine!)
1944* Deprecated linkerd-viz's `Gateways` API which is no longer used by
1945 linkerd-multicluster
1946* Added the `promm` package for making programatic Prometheus assertions in
1947 tests (thanks @krzysztofdrys!)
1948* Added the `runAsUser` configuration to extensions to fix a PodSecurityPolicy
1949 violation when CNI is enabled
1950
1951## edge-22.5.3
1952
1953This edge release fixes a few proxy issues, improves the upgrade process, and
1954introduces proto retries to Service Profiles. Also included are updates to the
1955bash scripts to ensure that they follow best practices.
1956
1957* Polished the shell scripts (thanks @joakimr-axis)
1958* Introduced retries to Service Profiles based on the idempotency option of the
1959 method by adding an isRetryable function to the proto definition
1960 (thanks @mahlunar)
1961* Fixed proxy responses to CONNECT requests by removing the content-length
1962 and/or transfer-encoding headers from the response
1963* Fixed DNS lookups in the proxy to consistently use A records when SRV records
1964 cannot be resolved
1965* Added dynamic policy discovery to the proxy by evaluating traffic on ports
1966 not included in the LINKERD2_PROXY_INBOUND_PORTS environment variable
1967* Added logic to require that the linkerd CRDs are installed when running
1968 the `linkerd upgrade` command
1969
1970## edge-22.5.2
1971
1972This edge release ships a few changes to the chart values, a fix for
1973multicluster headless services, and notable proxy features. HA functionality,
1974such as PDBs, deployment strategies, and pod anti-affinity, have been split
1975from the HA values and are now configurable for the control plane. On the proxy
1976side, non-HTTP traffic will now be forwarded on the outbound side within the
1977cluster when the proxy runs in ingress mode.
1978
1979* Updated `ingress-mode` proxies to forward non-HTTP traffic within the cluster
1980 (protocol detection will always be attempted for outbound connections)
1981* Added a new proxy metric `process_uptime_seconds_total` to keep track of the
1982 number of seconds since the proxy started
1983* Fixed an issue with multicluster headless service mirroring, where exported
1984 endpoints would be mirrored with a delay, or when changes to the export label
1985 would be ignored
1986* Split HA functionality, such as PodDisruptionBudgets, into multiple
1987 configurable values (thanks @evan-hines-firebolt for the initial work)
1988
1989## edge-22.5.1
1990
1991This edge release adds more flexibility to the MeshTLSAuthentication and
1992AuthorizationPolicy policy resources by allowing them to target entire
1993namespaces. It also fixes a race condition when multiple CNI plugins are
1994installed together as well as a number of other bug fixes.
1995
1996* Added support for MeshTLSAuthentication resources to target an entire
1997 namespace, authenticating all ServiceAccounts in that namespace
1998* Fixed a panic in `linkerd install` when the `--ignore-cluster` flag is passed
1999* Fixed issue where pods would fail to start when `enablePSP` and
2000 `proxyInit.runAsRoot` are set
2001* Added support for AuthorizationPolicy resources to target namespaces, applying
2002 to all Servers in that namespace
2003* Fixed a race condition where the Linkerd CNI configuration could be
2004 overwritten when multiple CNI plugins are installed
2005* Added test for opaque ports using Service and Pod IPs (thanks @krzysztofdrys!)
2006* Fixed an error in the linkerd-viz Helm chart in HA mode
2007
2008## edge-22.4.1
2009
2010In order to support having custom resources in the default Linkerd installation,
2011the CLI install flow is now always a 2-step process where `linkerd install
2012--crds` must be run first to install CRDs only and then `linkerd install` is run
2013to install everything else. This more closely aligns the CLI install flow with
2014the Helm install flow where the CRDs are a separate chart. This also applies to
2015`linkerd upgrade`. Also, the `config` and `control-plane` sub-commands have been
2016removed from both `linkerd install` and `linkerd upgrade`.
2017
2018On the proxy side, this release fixes an issue where proxies would not honor the
2019cluster's opaqueness settings for non-pod/service addresses. This could cause
2020protocol detection to be peformed, for instance, when using off-cluster
2021databases.
2022
2023This release also disables the use of regexes in Linkerd log filters (i.e., as
2024set by `LINKERD2_PROXY_LOG`). Malformed log directives could, in theory, cause a
2025proxy to stop responding.
2026
2027The `helm.sh/chart` label in some of the CRDs had its formatting fixed, which
2028avoids issues when installing/upgrading through external tools that make use of
2029it, such as recent versions of Flux.
2030
2031* Added `--crds` flag to install/upgrade and remove config/control-plane stages
2032* Allowed the `AuthorizationPolicy` CRD to have an empty
2033 `requiredAuthenticationRefs` entry that allows all traffic
2034* Introduced `nodeAffinity` config in all the charts for enhanced control on the
2035 pods scheduling (thanks @michalrom089!)
2036* Introduced `resources`, `nodeSelector` and `tolerations` configs in the
2037 `linkerd-multicluster-link` chart for enhanced control on the service mirror
2038 deployment (thanks @utay!)
2039* Fixed formatting of the `helm.sh/chart` label in CRDs
2040* Updated container base images from buster to bullseye
2041* Added support for spaces in the `config.linkerd.io/opaque-ports` annotation
2042
2043## edge-22.3.5
2044
2045This edge release introduces new policy CRDs that allow for more generalized
2046authorization policies.
2047
2048The `AuthorizationPolicy` CRD authorizes clients that satisfy all the required
2049authentications to communicate with the Linkerd `Server` that it targets.
2050Required authentications are specified through the new `MeshTLSAuthentication`
2051and `NetworkAuthentication` CRDs.
2052
2053A `MeshTLSAuthentication` defines a list of authenticated client IDs—specified
2054directly by proxy identity strings or referencing resources such as
2055`ServiceAccount`s.
2056
2057A `NetworkAuthentication` defines a list of client networks that will be
2058authenticated.
2059
2060Additionally, to support the new CRDs, policy-related labels have been changed
2061to better categorize policy metrics. A `srv_kind` label has been introduced
2062which splits the current `srv_name` value—formatted as `kind:name`—into separate
2063labels. The `saz_name` label has been removed and is replaced by the new
2064`authz_kind` and `authz_name` labels.
2065
2066* Introduced the `srv_kind` label which allowed splitting the value of the
2067 current `srv_name` label
2068* Removed the `saz_name` label and replaced it with the new `authz_kind` and
2069 `authz_name` labels
2070* Fixed an issue in the destination controller where an update would not be sent
2071 after an endpoint was discovered for a currently empty service
2072* Introduced the following custom resource types to support generalized
2073 authorization policies: `AuthorizationPolicy`, `MeshTLSAuthentication`,
2074 `NetworkAuthentication`
2075* Deprecated the `--proxy-version` flag (thanks @importhuman!)
2076* Updated linkerd-viz to use new policy CRDs
2077
2078## edge-22.3.4
2079
2080* Disabled pprof endpoints on Linkerd control plane components by default
2081* Fixed an issue where mirror service endpoints of headless services were always
2082 ready regardless of gateway liveness
2083* Added server side validation for ServerAuthorization resources
2084* Fixed an "origin not allowed" issue when using the latest Grafana with the
2085 Linkerd Viz extension
2086
2087## edge-22.3.3
2088
2089This edge release ensures that in multicluster installations, mirror service
2090endpoints have their readiness tied to gateway liveness. When the gateway for a
2091target cluster is not alive, the endpoints that point to it on a source cluster
2092will properly indicate that they are not ready.
2093
2094* Fixed tap controller logging errors that were succeptible to log forgery by
2095 ensuring special characters are escaped
2096* Fixed issue where mirror service endpoints were always ready regardless of
2097 gateway liveness
2098* Removed unused `namespace` entry in `linkerd-control-plane` chart
2099
2100## edge-22.3.2
2101
2102This edge release includes a few fixes and quality of life improvements. An
2103issue has been fixed in the proxy allowing HTTP Upgrade requests to work
2104through multi-cluster gateways, and the init container's resource limits and
2105requests have been revised. Additionally, more Go linters have been enabled and
2106improvements have been made to the devcontainer.
2107
2108* Changed `linkerd-init` resource (CPU/memory) limits and requests to ensure by
2109 default the init container does not break a pod's `Guaranteed` QOS class
2110* Added a new check condition to skip pods whose status is `NodeShutdown`
2111 during validation as they will not have a proxy container
2112* Fixed an issue that would prevent proxies from sending HTTP Upgrade requests
2113 (used in websockets) through multi-cluster gateways
2114
2115## edge-22.3.1
2116
2117This edge release includes updates to dependencies, CI, and rust 1.59.0. It also
2118includes changes to the `linkerd-jaeger` chart to ensure that namespace labels
2119are preserved and adds support for `imagePullSecrets`, along with improvements
2120to the multicluster and policy functionality.
2121
2122* Added note to `multicluster link` command to clarify that the link is
2123 one-direction
2124* Introduced `imagePullSecrets` to Jaeger Helm chart
2125* Updated Rust to v1.59.0
2126* Fixed a bug where labels can be overwritten in the `linkerd-jaeger` chart
2127* Fix broken mirrored headles services after `repairEndpoints` runs
2128* Updated `Server` CRD to handle an empty `PodSelector`
2129
2130## edge-22.2.4
2131
2132This edge release continues to address several security related lints and
2133ensures they are checked by CI.
2134
2135* Add `linkerd check` warning for clusters that cannot verify their
2136 `clusterNetworks` due to Nodes missing the `podCIDR` field
2137* Changed `Server` CRD to allow having an empty `PodSelector`
2138* Modified `linkerd inject` to only support `https` URLs to mitigate security
2139 risks
2140* Fixed potential goroutine leak in the port forwarding used by several CLI
2141 commands and control plane components
2142* Fixed timeouts in the policiy validator which could lead to failures if
2143 `failurePolicy` was set to `Fail`
2144
2145## edge-22.2.3
2146
2147This edge release fixes some `Instant`-related proxy panics that occur on Amazon
2148Linux. It also includes many behind the scenes improvements to the project's
2149CI and linting.
2150
2151* Removed the `--controller-image-version` install flag to simplify the way that
2152 image versions are handled. The controller image version can be set using the
2153 `--set linkerdVersion` flag or Helm value
2154* Lowercased logs and removed redundant lines from the Linkerd2 proxy init
2155 container
2156* Prevented the proxy from logging spurious errors when its pod does not define
2157 any container ports
2158* Added workarounds to reduce the likelihood of `Instant`-related proxy panics
2159 that occur on Amazon Linux
2160
2161## edge-22.2.2
2162
2163This edge release updates the jaeger extension to be available in ARM
2164architectures and applies some security-oriented amendments.
2165
2166* Upgraded jaeger and the opentelemetry-collector to their latest versions,
2167 which now support ARM architectures
2168* Fixed `linkerd multicluster check` which was reporting false warnings
2169* Started enforcing TLS v1.2 as a minimum in the webhook servers
2170* Had the identity controller emit SHA256 certificate fingerprints in its
2171 logs/events, instead of MD5
2172
2173## edge-22.2.1
2174
2175This edge release removed the `disableIdentity` configuration now that the proxy
2176no longer supports running without identity.
2177
2178* Added a `privileged` configuration to linkerd-cni which is required by some
2179 environments
2180* Fixed an issue where the TLS credentials used by the policy validator were not
2181 updated when the credentials were rotated
2182* Removed the `disableIdentity` configurations now that the proxy no longer
2183 supports running without identity
2184* Fixed an issue where `linkerd jaeger check` would needlessly fail for BYO
2185 Jaeger or collector installations
2186* Fixed a Helm HA installation race condition introduced by the stoppage of
2187 namespace creation
2188
2189## edge-22.1.5
2190
2191This edge release adds support for per-request Access Logging for HTTP inbound
2192requests in Linkerd. A new annotation i.e. `config.linkerd.io/access-log` is added,
2193which configures the proxies to emit access logs to stderr. `apache` and `json`
2194are the supported configuration options, emitting access logs in Apache Common
2195Log Format and JSON respectively.
2196
2197Special thanks to @tustvold for all the initial work around this!
2198
2199* Updated injector to support the new `config.linkerd.io/access-log` annotation
2200* Added a new `LINKERD2_PROXY_ACCESS_LOG` proxy environment variable to configure
2201 the access log format (thanks @tustvold)
2202* Updated service mirror controller to emit relevant events when
2203 mirroring is skipped for a service
2204* Updated various dependencies across the project (thanks @dependabot)
2205
2206## edge-22.1.4
2207
2208This edge release features a new configuration annotation, support for
2209externally hosted Grafana instances, and other improvements in the CLI,
2210dashboard and Helm charts. To learn more about using an external Grafana
2211instance with Linkerd, you can refer to our
2212[docs](https://github.com/linkerd/website/blob/0c3c5cd5ae329cd7dbcca18534f3bc8ec7d57859/linkerd.io/content/2.12/tasks/grafana.md).
2213
2214* Added a new annotation to configure skipping subnets in the init container
2215 (`config.linkerd.io/skip-subnets`). This configuration option is ideal for
2216 Docker-in-Docker (dind) workloads (thanks @michaellzc!)
2217* Added support in the dashboard for externally hosted Grafana instances
2218 (thanks @jackgill!)
2219* Introduced resource block to `linkerd-jaeger` Helm chart (thanks
2220 @yuriydzobak!)
2221* Introduced parametrized datasource (`DS_PROMETHEUS`) in all Grafana
2222 dashboards. This allows pointing to the right Prometheus datasource when
2223 importing a dashboard
2224* Introduced a consistent `--ignore-cluster` flag in the CLI for the base
2225 installation and extensions; manifests will now be rendered even if there is
2226 an existing installation in the current Kubernetes context (thanks
2227 @krzysztofdrys!)
2228* Updated the service mirror controller to skip mirroring services whose
2229 namespaces do not yet exist in the source cluster; previously, the service
2230 mirror would create the namespace itself.
2231
2232## edge-22.1.3
2233
2234This release removes the Grafana component in the linkerd-viz extension.
2235Users can now import linkerd dashboards into Grafana from the [Linkerd org](https://grafana.com/orgs/linkerd)
2236in Grafana. Users can also follow the instructions in the [docs](https://github.com/linkerd/website/blob/f687a04ee43c90bd804b04af287bc80c9366db98/linkerd.io/content/2.12/tasks/grafana.md)
2237to install a separate Grafana that can be integrated with the Linkerd Dashboard.
2238
2239* Stopped shipping grafana-based image in the linkerd-viz extension
2240* Removed `repair` sub-command in the CLI
2241* Updated various dependencies across the project (thanks @dependabot)
2242
2243## edge-22.1.2
2244
2245This release sets the version of the extension Helm charts to 30.0.0-edge to
2246ensure that previous versions of these charts can be upgraded properly.
2247
2248* Reset extensions Helm chart versions at 30.0.0-edge
2249* Pin multicluster extension pause container version to 3.2 so that it will work
2250 on Arm architectures
2251* Create a unique PSP `RoleBinding` for each multicluster link to prevent
2252 conflicts when PSP is enabled
2253
2254## edge-22.1.1
2255
2256This release adds support for using the cert-manager CA Injector to configure
2257Linkerd's webhooks.
2258
2259* Fixed a rare issue when a Service's opaque ports annotation does not match
2260 that of the pods in the service
2261* Disallowed privilege escalation in control plane containers (thanks @kichristensen!)
2262* Updated the multicluster extension's service mirror controller to make mirror
2263 services empty when the exported service is empty
2264* Added support for injecting Webhook CA bundles with cert-manager CA Injector
2265 (thanks @bdun1013!)
2266
2267## edge-21.12.4
2268
2269This release adds support for custom HTTP methods in the viz stats
2270(i.e CLI and Dashboard). Additionally, it also includes various
2271smaller improvements.
2272
2273* Added support for custom HTTP methods in the `linkerd-viz` stats
2274* Updated the health checker to pull trust root from the `linkerd-identity-trust-roots`
2275 configmap to support cases where they are generated externally (thanks @wim-de-groot)
2276* Removed unnecessary `installNamespace` bool flag from the
2277 `linkerd-control-plane` chart (thanks @mikutas)
2278* Updated the `install` command to error if container runtime check fails
2279* Updated various dependencies across the project (thanks @dependabot)
2280
2281## edge-21.12.3
2282
2283This edge release contains a few improvements to the CLI commands and a major
2284change around Helm charts.
2285
2286* **Breaking change**
2287
2288The `linkerd2` chart has been deprecated in favor of the `linkerd-crds` and
2289`linkerd-control-plane` charts. The former takes care of installing all the
2290required CRDs and the latter everything else. Of important note is that, as per
2291Helm best practice, we're no longer creating the linkerd namespace. Users
2292require to do that manually, or have the Helm tool do it explicitly. So the
2293install procedure would look something like this:
2294
2295```bash
2296helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
2297
2298helm install linkerd-control-plane -n linkerd \
2299 --set-file identityTrustAnchorsPEM=ca.crt \
2300 --set-file identity.issuer.tls.crtPEM=issuer.crt \
2301 --set-file identity.issuer.tls.keyPEM=issuer.key \
2302 linkerd/linkerd-control-plane
2303```
2304
2305In order to upgrade, please delete your previously installed `linkerd2` chart
2306and install the new charts as explained above.
2307
2308Although the charts for the main extensions (viz, multicluster, jaeger,
2309linkerd2-cni) were not deprecated, they also stopped creating their namespace
2310and users are required to uninstall and reinstall them anew, e.g:
2311
2312```bash
2313helm install linkerd-viz -n linkerd-viz --create-namespace linkerd/linkerd-viz
2314```
2315
2316* Added a new `--obfuscate` flag to `linkerd diagnostics proxy-metrics` to
2317 obfuscate potentially private information in the output (thanks
2318 @ahmedalhulaibi!)
2319* Fixed formatting of the recommended value for `--set clusterNetworks` in the
2320 `linkerd check` output when that parameter doesn't contain all the node
2321 podCIDRs (thanks @ElvinEfendi!)
2322* Skipped evicted pods in `linkerd viz check` and `linkerd jaeger check`, to
2323 avoid the checks fail unnecessarily
2324* Removed some no longer used environment variables from the proxy's manifest
2325
2326## edge-21.12.2
2327
2328This edge removes the default SMI functionality that is included in
2329installations now that the linkerd-smi extension provides these resources. It
2330also relaxes the `proxy-init`'s `privileged` value to only be set to `true` when
2331needed by certain installation configurations.
2332
2333Along with some bug fixes, the repository's issue and feature request templates
2334have been updated to forms; check them when opening a [new
2335issue](https://github.com/linkerd/linkerd2/issues/new/choose)! (thanks
2336@mikutas).
2337
2338* Removed SMI functionality in the default Linkerd installation; this is now
2339 part of the linkerd-smi extension
2340* Fixed autocompletion of the `--context` flag (thanks @mikutas!)
2341* Added support for conditionally setting `proxy-init`'s `privileged: true` only
2342 when needed (thanks @alex-berger!)
2343* Added support for controlling opaque ports through the Server resource
2344* Fixed an issue where `linkerd check` would compare proxy versions of
2345 uninjected pods leading to incorrect errors
2346* Relaxed extension checks so that the CLI still works when not all extension
2347 proxies are healthy
2348* Added the `--default-inbound-policy` flag to `linkerd inject` for setting a
2349 non-default inbound policy on injected workloads (thanks @ahmedalhulaibi!)
2350
2351## edge-21.12.1
2352
2353This edge release enables by default `EndpointSlices` in the destination
2354controller, which unblocks any functionality that is specific to
2355`EndpointSlices` such as as topology-aware hints. It also contains a couple of
2356internal cleanups and upgrades, by our external contributors!
2357
2358* Added new check to `linkerd check` verifying the nodes aren't running the old
2359 Docker container runtime and attempting to run proxy-init as root at the same
2360 time, which doesn't work (thanks @alex-berger!)
2361* Enabled `EndpointSlices` in the destination controller by default
2362* Removed extraneous empty lines and fixed the formatting of warnings in the
2363 output of `linkerd check -o short`
2364* Upgraded to go 1.17 (thanks @Juneezee!)
2365* Removed old protobuf definitions from the codebase (thanks @krzysztofdrys!)
2366
2367## edge-21.11.4
2368
2369This edge release introduces a change in the destination service to honor
2370opaque ports set in the `proxyProtocol` field of `Server` resources. This
2371change makes it possible to set opaque ports directly in `Server` resources
2372without needing the opaque ports annotation on pods. The release also features
2373a number of fixes and improvements, a big thank you to our external
2374contributors for their continued support and involvement.
2375
2376* Added support in the destination service for honoring opaque ports marked in
2377 `Server` resources; ports can now be marked as opaque directly in `Server`
2378 resources through the `proxyProtocol` field.
2379* Added support to override default behavior and run `proxyInit` as root
2380 (thanks @alex-berger!)
2381* Added multicluster `Link` CRD to code generation script; consumers of the
2382 multicluster API can now use a typed API to interact with multicluster links
2383 (thanks @zaharidichev!)
2384* Added a multicluster integration test for exported headless services (thanks
2385 @importhuman!)
2386* Deprecated `v1alpha1` version of the policy APIs
2387* Removed newline from `linkerd check` header text (thanks @mikutas!)
2388* Replaced deprecated `beta.kubernetes.io/os` label with `kubernetes.io/os`
2389
2390## edge-21.11.3
2391
2392This edge releases fixes a compatibility issue that prevented the policy
2393controller from starting in some Kubernetes distributions. This release also
2394includes a new High Availability mode for the gateway component in multicluster
2395extension. Various dependencies across the CNI plugin, Policy Controller and
2396dashboard have also been upgraded. In the proxy, error logging when the proxy
2397fails to accept a connection due to a system error has been improved.
2398
2399* Updated policy controller to use `openssl` instead of `rustls` to fix
2400 compatibility issues with some Kubernetes distributions
2401* Added HA mode to multicluster gateway that adds a PodDisruptionBudget,
2402 additional replicas and anti-affinity to the deployment (thanks @Crevil)
2403* Improved TCP server error messages in the proxy
2404* Fixed broken Grafana links in the dashboard
2405* Upgraded CNI pkg to v0.8.1 in `linkerd-cni` to support latest CNI
2406 versions
2407* Updated various dependencies in the dashboard, policy controller
2408 (thanks @dependabot)
2409
2410## edge-21.11.2
2411
2412This edge release introduces a new Services page in the web dashboard that shows
2413live calls and route metrics for meshed services. Additionally, the `proxy-init`
2414container is no longer enforced to run as root. Lastly, the proxy can now retry
2415requests with a `content-length` header—permitting requests emitted by grpc-go
2416to be retried.
2417
2418* Removed hardcoding that enforced the `proxy-init` container to run as root
2419* Added support for retrying requests without a `content-length` header
2420* Changed service discovery logs from `TRACE` to `DEBUG`
2421* Fixed issue with policy controller where it assumed `linkerd` was the name of
2422 the control plane namespace, leading to issues with installations that use a
2423 non-default namespace name
2424* Added support for ephemeral storage requests and limits configured either
2425 through the CLI or annotations (thanks @michaellzc!)
2426* Deprecated support for topology keys and added support for topology aware
2427 hints
2428* Added `logFormat` and `logLevel` configuration values for the `proxy-init`
2429 container (thanks @gusfcarvalho!)
2430* Added services to the web dashboard (thanks @krzysztofdrys!)
2431* Updated example commands in the web dashboard to use the `viz` subcommand when
2432 necessary (thanks @mikutas!)
2433* Removed references to `linkerd-sp-validator` service account in the
2434 `linkerd-psp` role binding (thanks @multimac!)
2435
2436## edge-21.11.1
2437
2438In this edge, we're very excited to introduce Service Account Token Volume
2439Projections, used to set up the pods' identities. These tokens are bounded
2440specifically for this use case and are rotated daily, replacing the usage of the
2441default tokens injected by Kubernetes which are overly permissive.
2442
2443Note that this edge release updates the minimum supported kubernetes version to 1.20.
2444
2445* Updated the minimum supported kubernetes version to 1.20
2446* Use Service Account Token Volume Projections to set up the pods' identities;
2447 now injection also works on pods with `automountServiceAccountToken` set to
2448 `false`
2449* Updated proxy-init's Alpine base image to fix some CVEs (not affecting
2450 Linkerd)
2451* Updated the Prometheus image in linkerd-viz to 2.30.3
2452* Changed the proxy and policy controller to use jemalloc on x86_64 gnu/linux to
2453 reduce memory usage
2454* Fixed output for `linkerd check -o json`
2455* Added ability to configure ephemeral-storage resources for each component
2456 (thanks @michaellzc!)
2457
2458## edge-21.10.3
2459
2460This edge release fixes a bug in the proxy that could cause it to be killed in
2461certain situations. It also uses a more relaxed policy for the identity
2462controller that allows it to work in environments where health checks come from
2463outside of the pod network.
2464
2465* Skipped Prometheus scrapes on policy's `admin` server so that it no longer
2466 incorrectly appears as "DOWN" in the Prometheus UI
2467* Updated the identity controller to use the 'all-unauthenticated' policy so
2468 that it can accept health checks from the node IPs
2469* Fixed an infinite loop in the proxy that could cause it to be killed
2470* Added tests for the multicluster install command (thanks @crevil!)
2471* Fixed a bug where `authz` CLI commands would fail when policy resources had
2472 an empty selector
2473
2474## edge-21.10.2
2475
2476This edge release fixes linkerd check and the helm charts to explicitly
2477indicate that the minimum Kubernetes version is 1.17.0. Prior to this change,
2478there was no validation or enforcement from linkerd check or helm to meet this
2479minimum requirement.
2480
2481This edge also improves `check` functionality for extensions by adding the
2482`-oshort` flag, and prevents duplicate policy resources from being created for
2483linked multicluster services.
2484
2485* Moved service mirror policy into multicluster base chart
2486* Added `-oshort` flag for extension `check` commands
2487* Updated minimum kubernetes version to 1.17.0
2488* Removed unused `crtExpiry` template parameter from helm charts
2489* Fixed multicluster gateway name for ServerAuthorization
2490* Added `priorityClassName` to the helm charts to configure control plane
2491 components
2492
2493## edge-21.10.1
2494
2495This release includes some fixes in the `linkerd check`, along with a
2496bunch of dependency updates across the dashboard, Go components, and
2497others. On the proxy side, Support for `TLSv1.2` has been dropped
2498(Only `TLSv1.3` cipher suite will be used), `h2` crate has been updated
2499to support HTTP/2 messages with larger header values.
2500
2501* Updated `linkerd check` to avoid multiline errors with retryable checks
2502* Fixed incorrect opaque ports warning in `linkerd check --proxy` with
2503 un-named ports
2504* Bumped proxy-init to `1.4.1` which adds support for `--log-level`
2505 and `--log-format` flags (thanks @gusfcarvalho)
2506* Removed the use of `TLSv1.2` in the proxy
2507* Updated the `h2` crate in the proxy to support HTTP/2 messages with
2508 larger header values.
2509* Updated various dependencies across the dashboard, policy-controller, etc
2510 (thanks @dependabot!)
2511
2512## stable-2.11.0
2513
2514This release introduces access control policies. Default policies may be
2515configured at the cluster- and workspace-levels; and fine grained policies may
2516be instrumented via the new `policy.linkerd.io/v1beta1` CRDs: `Server` and
2517`ServerAuthorization`. These resources may be created to define how individual
2518ports accept connections; and the `Server` resource will be a building block for
2519future features that configure inbound proxy behavior.
2520
2521Furthermore, `ServiceProfile` retry configurations can now instrument retries
2522for requests with bodies. This unlocks retry behavior for gRPC services.
2523
2524**Upgrade notes**: Please see the [upgrade instructions][upgrade-2110].
2525
2526* Proxy
2527 * Reduced CPU & Memory usage by up to 30% in some load tests
2528 * Updated retries to support requests with bodies up to 64KB. ServiceProfiles
2529 may now configure retries for gRPC services
2530 * The proxy's container image is now based on `gcr.io/distroless/cc` to
2531 contain a minimal OS footprint that should not trigger unnecessary alerts in
2532 security scanners
2533 * Added the `inbound_http_errors_total` and `outbound_http_errors_total`
2534 metrics to reflect errors that caused the proxy to respond with errors
2535 * Added an `l5d-proxy-error` header that is included on responses on trusted
2536 connections for debugging purposes
2537 * Added a `l5d-client-id` header on mutually-authenticated inbound requests so
2538 that applications can discover the client's identity
2539 * Added metrics to reflect TCP and HTTP authorization decisions
2540 * Added `srv_name` and `saz_name` labels to inbound HTTP metrics
2541 * Fixed an issue that could cause the proxy to continually reconnect to
2542 defunct service endpoints
2543 * Dropped support for non-HTTP outbound services when `linkerd.io/inject:
2544 ingress` is used
2545 * Instrumented fuzz testing to help guard against unexpected panics
2546
2547* Control Plane
2548 * Added a new `policy-controller` container to the `linkerd-destination`
2549 pod--the first control plane component implemented in Rust
2550 * Added a new admission controller to validate that multiple `Server`
2551 resources do not reference the same port
2552 * Added a `linkerd-identity-trust-roots` ConfigMap which configures the trust
2553 root bundle for all pods in the core control plane namespace
2554 * Eliminated the `linkerd-controller` deployment so that Linkerd's core
2555 control plane now consists of only 3 deployments
2556 * Updated the proxy injector to configure the `proxy-init` container with
2557 `NET_RAW` and `NET_ADMIN` capabilities so that the container does not fail
2558 when the pod drops these capabilities
2559
2560* CLI
2561 * Enhanced `linkerd completion` to expand Kubernetes resources from the current
2562 kubectl context
2563 * Added an `authz` subcommand to display the authorization policies that
2564 impact a workload
2565 * Added a _short_ output mode for `linkerd check` that only prints failed
2566 checks
2567 * Added support for `ReplicaSets` to `linkerd stat` so that pods created by
2568 Argo `Rollout` resources can be inspected
2569
2570* Helm: please see the [upgrade instructions][upgrade-2110].
2571
2572* Extensions:
2573 * Introduced a new (optional) SMI extension responsible for reading
2574 `specs.smi-spec.io` resources and converting them to Linkerd resources
2575 * In `stable-2.12`, this extension will be required to use `TrafficSplit`
2576 resources with Linkerd
2577 * Added an extensions page to the Linkerd Web UI
2578
2579 * Viz
2580 * Added `Server` and `ServerAuthorization` resources for all ports
2581 * Added JSON log formatting
2582
2583 * Jaeger
2584 * Added OpenTelemetry collector instead of OpenCensus
2585
2586 * Multicluster
2587 * Added experimental support for `StatefulSet` workloads
2588
2589This release includes changes from a massive list of contributors. A special
2590thank-you to everyone who helped make this release possible:
2591
2592Gustavo Fernandes de Carvalho @gusfcarvalho
2593Oleg Vorobev @olegy2008
2594Bart Peeters @bartpeeters
2595Stepan Rabotkin @EpicStep
2596LiuDui @xichengliudui
2597Andrew Hemming @drewhemm
2598Ujjwal Goyal @importhuman
2599Knut Götz @knutgoetz
2600Sanni Michael @sannimichaelse
2601Brandon Sorgdrager @bsord
2602Gerald Pape @ubergesundheit
2603Alexey Kostin @rumanzo
2604rdileep13 @rdileep13
2605Takumi Sue @mikutas
2606Akshit Grover @akshitgrover
2607Sanskar Jaiswal @aryan9600
2608Aleksandr Tarasov @aatarasoff
2609Taylor @skinn
2610Miguel Ángel Pastor Olivar @migue
2611wangchenglong01 @wangchenglong01
2612Josh Soref @jsoref
2613Carol Chen @kipply
2614Peter Smit @psmit
2615Tarvi Pillessaar @tarvip
2616James Roper @jroper
2617Dominik Münch @muenchdo
2618Szymon Gibała @Szymongib
2619Mitch Hulscher @mhulscher
2620
2621[upgrade-2110]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2110
2622
2623## edge-21.9.5
2624
2625This edge is a release candidate for `stable-2.11.0`, containing a couple of
2626improvements to `linkerd check`, some final tweaks before the stable release,
2627and a couple of contributions from the community.
2628
2629* Had `linkerd check --proxy` stop failing on pods that are in Shutdown status
2630 (thanks @olegy2008!)
2631* Lowered from error to warning a failed check on misconfigured opaque ports
2632 annotations, given that doesn't imply the installation is broken
2633* Added log level and format settings to all the viz components (thanks
2634 @gusfcarvalho!)
2635* Removed label from the multicluster gateway and service-mirror pods to allow
2636 them to be properly rolled out when upgrading
2637
2638## edge-21.9.4
2639
2640This edge is a release candidate for `stable-2.11.0`! It introduces a new
2641`linkerd viz auth` command which shows metrics for server authorizations broken
2642down by server for a given resource. It also shows the rate of unauthorized
2643requests to each server. This is helpful for seeing a breakdown of which
2644authorizations are being used and what proportion of traffic is being rejected.
2645
2646It also fixes an issue in the proxy where HTTP load balancers could continue
2647trying to establish connections to endpoints that were removed from service
2648discovery. In addition it improves the proxy's error handling so that it can
2649signal to an inbound proxy when its peers outbound connections should be torn
2650down.
2651
2652* Changed destination watch updates from `info` to `debug` to reduce the amount
2653 of logs (thanks @bartpeeters!)
2654* Added the `linkerd viz auth` command which shows metrics for server
2655 authorizations broken down by server for a given resource
2656* Fixed an issue where the policy controller's validating admission webhook
2657 attempted to validate ServerAuthorizations when it should only be validating
2658 Servers
2659* Removed `omitWebhookSideEffects` setting now that we no longer support
2660 Kubernetes 1.12
2661* Improved proxy error handling so that it can signal to its peers that their
2662 outbound connections should be torn down
2663* Fixed an issue where after upgrades there would be a mismatch in certs used by
2664 the policy controller validator; the destination pod is now restarted similar
2665 to the injector
2666* Fixed a field reference in the Helm template to properly refer to
2667 `profileValidator.namespaceSelector`
2668* Updated policy CRD versions to `v1beta1`
2669* Added support for `stat`'s `-o json` option to Server resources
2670* Fixed an issue in the proxy where HTTP load balancers could continue trying to
2671 establish connections to endpoints that were removed from service discovery
2672* Added JSON output format to `linkerd viz authz` command
2673
2674## edge-21.9.3
2675
2676This edge is a release candidate for `stable-2.11.0`! It features a new `linkerd
2677authz` CLI command to list servers and authorizations for a workload, as well as
2678policy resources support for `linkerd viz stat`. Furthermore, this edge release
2679adds support for JSON log formatting, enables TLS detection on port 443
2680(previously marked as opaque), and further improves policy features.
2681
2682* Removed port 443 from the default list of opaque ports, this will allow the
2683 proxy to report metadata (such as the connection's SNI value) on TLS
2684 connections to port 443
2685* Added default policies for core Linkerd extensions
2686* Added support for JSON log formatting to the policy controller
2687* Added support for new policy resources to `viz stat` command
2688* Added default policy annotation to `linkerd-identity`
2689* Added a new `linkerd authz` command to the CLI to list all server and
2690 authorization resources that apply to a specific resource
2691* Added TLS labels (including client identity) to authorization metrics in the
2692 proxy
2693* Changed the opaque ports CLI check to consider service and pod ports when
2694 checking annotation values; previously, the check would naively issue warnings
2695 when the service annotation values were different from the pod it selected
2696* Changed how the proxy forwards inbound connections to a pod locally; the proxy
2697 now targets the original address instead of a port bound on localhost to
2698 protect services that are only bound on loopback from being exposed to other
2699 pods
2700* Improved memory utilization in the proxy, especially for TCP forwarding, where
2701 the memory allocated was reduced from 128KB to 16KB
2702* Updated the inbound policy system for the proxies to always allow connections
2703 from localhost
2704* Fixed an issue where the policy controller would not detect changes to the
2705 `proxyProtocol` field of `Server` resources
2706* Fixed an issue where the policy admission controller would log a `WARN`
2707 message when deserializing `Server` structs
2708
2709## edge-21.9.2
2710
2711This edge release gets us closer to 2.11 by further polishing the policy
2712feature. Also the proxy received a noticeable resource consumption improvement.
2713
2714* Stopped creating the default authorizations for the kubelet
2715* Added missing ports to the destination controller's default list of ports, to
2716 allow the sp-validator to start properly when using a default-deny policy
2717* Set the destination and proxy-injector pods default policy to
2718 `all-unauthenticated` to allow the webhooks to be called from the kube-api
2719 when using a default-deny policy
2720* Extended inbound policies to cover the proxy's admin server
2721* Improved the proxy's error handling so that HTTP metrics include 5XX responses
2722 for common errors
2723* The proxy's outbound tap has been fixed to include route labels when service
2724 profiles are configured
2725* Enabled link-time optimizations in the Rust components (proxy and policy
2726 controller), resulting in noticeable RSS and CPU consumption improvements
2727* Made the admin servers in the control plane components properly shut down
2728 (thanks @EpicStep!)
2729* Updated linkerd-await, suppressing the error emitted when linkerd-await was
2730 disabled
2731
2732## edge-21.9.1
2733
2734This release includes various improvements and feature additions across the policy
2735feature i.e, New validating webhook for policy resources. This also includes changes
2736in the proxy i.e, terminating TCP connections when a authorization is revoked, improvements
2737in the proxy authorization metrics. In addition, proxy injector has also been updated
2738to set the right `opaque-ports` annotation on services with default opaque ports.
2739
2740* Added a new validating admission controller to validate the policy resources
2741* Updated the proxy-init to remove a rule which caused the packets from the proxy
2742 with destination != 127.0.0.1 on localhost to be sent to the inbound proxy
2743* Updated inbound policy enforcement to interrupt TCP forwarding if a previously
2744 established authorization is revoked
2745* Added new proxy metrics to expose authorization decisions
2746* Updated inbound TCP metrics to only include a `srv_name` label
2747* Updated the proxy to export route-oriented metrics only when a ServiceProfile
2748 is enabled
2749* Updated the proxy's release build configuration to improve CPU and memory
2750 utilization
2751* Added DNS name validation to the `proxy-identity` binary which creates the
2752 read-only private key required by the proxy (thanks @yorkijr!)
2753* Updated the identity controller's default policy to be `cluster-unauthenticated`
2754* Updated the proxy injector to include the correct default ports as opaque with
2755 services
2756* Deprecated the usage of `vis stat ts` and print a warning about the SMI extension
2757* Updated various dependencies across the dashboard, policy-controller
2758 (thanks @dependabot!)
2759
2760## edge-21.8.4
2761
2762This edge release continues to build on the policy feature by adding support for
2763cluster-scoped default policies and exposing policy labels on various prometheus
2764metrics. The proxy has been updated to return HTTP-level authorization errors
2765at the time that the request is processed, instead of when the connection is
2766established.
2767
2768In addition, the proxy-injector has been updated to set the `opaque-ports`
2769annotation on a workload to make sure that controllers can discover how the
2770workload was configured. Also, the `sleep` binary has been added to the proxy
2771image in order to restore the functionality required for `waitBeforeExitSeconds`
2772to work.
2773
2774* Added `default-inbound-policy` annotation to the proxy-injector
2775* Updated the proxy-injector to always add the `opaque-ports` annotation
2776* Added `sleep` binary to proxy image
2777* Updated inbound traffic metrics to include server and authorization labels
2778* Updated the policy-controller to honor pod level port annotations when a
2779 `Server` resource definition does not match the ports defined for the workload
2780* Updated the point at which the proxy returns HTTP-level authorization errors
2781* Exposed permit and policy labels on HTTP metrics
2782* Added support for cluster-scoped default policies
2783* Dropped `nonroot` variant from the policy-controller's distroless base image
2784 to avoid erroring in some environments.
2785
2786## edge-21.8.3
2787
2788This release adds support for dynamic inbound policies. The proxy now discovers
2789policies from the policy-controller API for all application ports documented in a
2790pod spec. Rejected connections are logged. Policies are not yet reflected in the
2791proxy's metrics.
2792
2793These policies also allow the proxy to skip protocol detection when a server is
2794explicitly annotated as HTTP/2 or when the server is documented to be opaque or
2795application-terminated TLS.
2796
2797* Added a new section to linkerd-viz's dashboard that lists installed extensions
2798 (thanks @sannimichaelse!)
2799* Added the `enableHeadlessServices` Helm flag to the `linkerd multicluster
2800 link` command for enabling headless service mirroring (thanks @knutgoetz!)
2801* Removed some unused and duplicate constants in the codebase (thanks
2802 @xichengliudui!)
2803* Added support for exposing service metadata from exported to mirrored services
2804 in multicluster installations (thanks @importhuman!)
2805* Fixed an issue where the policy controller's liveness checks would fail after
2806 the controller was disconnected but had successfully resumed its watches
2807* Fixed the `linkerd-policy` service selector to properly select `destination`
2808 control plane components
2809* Added additional environment variables to the proxy container to allow support
2810 for dynamic policy configuration
2811
2812## edge-21.8.2
2813
2814This edge release continues the policy work by adding a new controller, written
2815in Rust, to expose a discovery API for inbound server policies. Apart from
2816that, this release includes a number of changes from external contributors; the
2817`linkerd-jaeger` helm chart now supports passing arguments to the Jaeger
2818container through the chart's values file. A number of unused functions and
2819variables have been also removed to improve the quality of the codebase.
2820Finally, this release also comes with changes to the proxy's outbound behavior,
2821a new extensions page on the dashboard, and support for querying service
2822metrics using the `authority` label in `linkerd viz stat`.
2823
2824* Introduced new `linkerd-policy-controller`; the new controller is written in
2825 Rust and implements discovery APIs for inbound server policies, the container
2826 has been added to the `linkerd-destination` pod
2827* Updated `linkerd-jaeger` helm chart to support passing arguments to the
2828 Jaeger container (thanks @bsord!)
2829* Added support for querying service metrics using the `authority` label in
2830 `linkerd viz stat`
2831* Improved code hygiene by removing unused constants and functions throughout
2832 the codebase (thanks @xichengliudui!)
2833* Added a new extensions page to the dashboard to list all known built-in and
2834 third party extensions that can be used with Linkerd
2835* Changed outbound behavior in the proxy to tear down server-side connections
2836 when the remote proxy returns responses that indicate proxy errors; the
2837 connection in this case will be reset to allow clients to connect to a new
2838 endpoint
2839
2840## edge-21.8.1
2841
2842This releases includes initial changes w.r.t addition of Authorization into
2843Linkerd. It includes adding the new `policy.linkerd.io` CRDs to the core install.
2844This also includes numerous dependency updates both in the web and dashboard.
2845
2846* Added `servers.policy.linkerd.io` and `serverauthorizations.policy.linkerd.io`
2847 CRDs into the default Linkerd installation to support configuration and
2848 discovery of inbound policies
2849* Modified the proxy to support upcoming policy features
2850* Updated several dashboard dependencies to latest versions
2851* Updated several proxy dependencies to latest versions
2852
2853## edge-21.7.5
2854
2855This release updates Linkerd to store the identity trust root in a ConfigMap to
2856make it easier to manage and rotate the trust root. The release also lays the
2857groundwork for StatefulSet support in the multicluster extension and removes
2858deprecated PSP resources by default.
2859
2860* Added a `linkerd-identity-trust-roots` ConfigMap which contains the configured
2861 trust root bundle
2862* Introduced support for StatefulSets across multicluster (disabled by default)
2863* Stopped installing PSP resources by default since these are deprecated as
2864 of Kubernetes v1.21
2865
2866## edge-21.7.4
2867
2868This release continues to focus on dependency updates. It also adds the
2869`l5d-proxy-error` information header to distinguish proxy generated errors
2870proxy generated errors from application generated errors.
2871
2872* Updated several project dependencies
2873* Added a new `l5d-proxy-error` on responses that allows proxy-generated error
2874 responses to be distinguished from application-generated error responses.
2875* Removed support for configuring HTTP/2 keepalives via the proxy.
2876 Configuring this setting would sometimes cause conflicts with Go gRPC servers
2877 and clients
2878* Added a new `target_addr` label to `*_tcp_accept_errors` metrics to improve
2879 diagnostics, especially for TLS detection timeouts
2880
2881## edge-21.7.3
2882
2883This edge release introduces several changes around metrics. ReplicaSets are now
2884a supported resource and metrics can be associated with them. A new metric has
2885been added which counts proxy errors encountered before a protocol can be
2886detected. Finally, the request errors metric has been split into separate
2887inbound and outbound directions.
2888
2889* Fixed printing `check --pre` command usage if it fails after being unable to
2890 connect to Kubernetes (thanks @rdileep13!)
2891* Updated the default skip and opaque ports to match that which is listed in the
2892 [documentation](https://linkerd.io/2.10/features/protocol-detection/#configuring-protocol-detection)
2893* Added the `LINKERD2_PROXY_INBOUND_PORTS` environment variable during proxy
2894 injection which will be used by ongoing policy changes
2895* Added client-go cache size metrics to the `diagnostics controller-metrics`
2896 command
2897* Added validation that the certificate provided by an external issuer is a CA
2898 (thanks @rumanzo!)
2899* Added metrics support for ReplicaSets
2900* Replaced the `request_errors_total` metric with two new metrics:
2901 `inbound_http_errors_total` and `outbound_http_errors_total`
2902* Introduced the `inbound_tcp_accept_errors_total` and
2903 `outbound_tcp_accept_errors_total` metrics which count proxy errors
2904 encountered before a protocol can be detected
2905
2906## edge-21.7.2
2907
2908This edge release focuses on dependency updates and has a couple of functional
2909changes. First, the Dockerfile used to build the proxy has been updated to use
2910the default `distroless` image, rather than the non-root variant. This change
2911is safe because the proxy already runs as non-root within the container. Second,
2912the `ignoreInboundPorts` parameter has been added in the linkerd2-cni helm
2913charts in order to enable tap support.
2914
2915* Updated several project dependencies
2916* Updated the Dockerfile-proxy to use the default distroless image, because
2917 the proxy already runs as non-root within the container
2918* Added `ignoreInboundPorts` parameter to the linkerd2-cni plugin helm chart
2919
2920## edge-21.7.1
2921
2922This edge release adds support for emitting Kubernetes events in the identity
2923controller when issuing leaf certificates. The event includes the identity,
2924expiry date, and a hash of the certificate. Additionally, this release contains
2925many dependency updates for the control plane's components, and it includes a
2926fix for an issue with the clusterNetworks healthcheck.
2927
2928* Updated the identity controller to emit Kubernetes events when successfully
2929 issuing leaf certificates to injected pods.
2930* Fixed an issue in `linkerd check` where the clusterNetworks healthcheck
2931 would fail if the `podCIDR` field is omitted from a node's spec.
2932* Removed unnecessary controller port-forward logic from the `bin/web` script.
2933
2934## edge-21.6.5
2935
2936This release contains a few improvements, from many contributors! Also under
2937the hood, the destination service has received updates in preparation to the
2938upcoming support for StatefulSets across multicluster.
2939
2940* Improved the `linkerd check --proxy` command to avoid hitting a timeout when
2941 dealing with large clusters
2942* Fixed the web component permissions in order to properly run the podCIDR check
2943 (thanks @aryan9600!)
2944* Avoid having the proxy-init container fail when the main container is
2945 configured to drop either the NET_RAW or NET_ADMIN capabilities (thanks
2946 @aryan9600!)
2947* Upgraded the proxy-init image to improve the output in "simulate" mode (thanks
2948 @liuerfire!) and to log to stdout instead of stderr (thanks @mo4islona!)
2949* Added test-coverage reports to PRs (thanks @akshitgrover!)
2950
2951## edge-21.6.3
2952
2953This release moves the Linkerd proxy to a more minimal Docker base image,
2954adds a check for detecting certain network misconfigurations, and replaces
2955the deprecated OpenCensus collector with the OpenTelemetry collector in the
2956jaeger extension.
2957
2958* Switched the Linkerd proxy's base docker image from Debian to a minimal
2959 distroless base image (thanks @tskinn!)
2960* Added a check to verify that Linkerd's clusterNetworks settings match the
2961 cluster's pod CIDR networks (thanks @aryan9600!)
2962* Replaced the deprecated OpenCensus collector with the OpenTelemetry
2963 collector in the jaeger extension (thanks @aatarasoff!)
2964
2965## edge-21.6.2
2966
2967This release fixes a problem with the HTTP body buffering that was added
2968to support gRPC retries. Now, only requests with a retry configuration
2969are buffered (and only when their bodies are less than 64KB).
2970
2971Additionally, an issue with the outbound ingress-mode proxy where forwarded
2972HTTP clients could fail to detect when the target pod was deleted, causing
2973connections to retry forever has been fixed. This only impacted traffic
2974forwarded directly to pod IPs and not load balanced services.
2975
2976Finally, this release also includes some fixes in the CLI and dashboard.
2977
2978* Added a new check that verifies if the opaque ports annotation is
2979 misconfigured on services or pods (thanks @migue!)
2980* Added support for resource aware completion for core linkerd command
2981* Fixed an issue where `namespace` resource was erroneously being shown
2982 in the dashboard's topology graph
2983* Added uninstall command support for legacy extension installs
2984* Updated the proxy to only buffer request bodies when a request can be retried
2985* Updated the proxy to prevent buffering indefinitely on requests
2986 when endpoints are updated in ingress mode
2987* Fixed spelling mistakes across various files in the project
2988 (thanks @jsoref!)
2989
2990## edge-21.6.1
2991
2992This release adds support for retrying HTTP/2 requests with small (<64KB)
2993message bodies, allowing the proxy to properly buffer message bodies when
2994responses are classified as a failure. Documentation on how to configure
2995retries can be found [here](https://linkerd.io/2.10/tasks/configuring-retries/).
2996
2997This release also modifies the proxy's identity subsystem to instantiate a
2998client on-demand so client connections are not retained continually. Also
2999included in this release are various bug fixes and improvements as well as
3000expanding support for resource-aware tab completion in the jaeger and
3001multicluster CLI extensions.
3002
3003* Added support for specifying a `gateway-port` flag for the `multicluster link`
3004 command (thanks @psmit!)
3005* Added support for Kubernetes resource aware tab completion for `jaeger` and
3006 `multicluster` commands
3007* Fixed an issue where `viz`, `jaeger` and `multicluster` extensions could not
3008 be installed on `PodSecurityPolicy`-enabled clusters
3009* Fixed an issue where `linkerd check --proxy` could incorrectly report
3010 out-of-date proxy versions caused by incorrect regex (thanks @aryan9600!)
3011* Added support for the proxy to retry HTTP/2 requests with message bodies
3012 <= 64KB
3013* Modified the proxy's controller stack to create new client connections
3014 on-demand
3015* Fixed Viz's `uninstall` command to remove viz installations that used the
3016 legacy `linkerd.io/extension: linkerd-viz` label (thanks @jsoref!)
3017* Expanded the "linkerd-existence" health check to also check for the
3018 destination pod readiness
3019
3020## edge-21.5.3
3021
3022This edge release contains various improvements to the Viz and Jaeger install
3023charts, along with bug fixes in the CLI, and destination. This release also
3024adds kubernetes aware autocompletion to all viz commands, along with
3025ServiceProfiles to be part of the default `viz install`.
3026
3027Finally, the proxy has been updated to continue supporting requests without
3028`l5d-dst-override` in ingress-mode proxies, to no longer include query parameters
3029in the OpenCensus trace spans, and to prevent timeouts with controller clients
3030of components with more than one replica.
3031
3032* Separated protocol hint setting from H2 upgrades in destination profile
3033 response, thus preventing `hint.OpaqueTransport` field from not being set when
3034 H2 upgrades are disabled
3035* Updated OpenCensus trace spans for HTTP requests to no longer include query
3036 parameters (thanks @aatarasoff!)
3037* Reverted [linkerd/linkerd2-proxy#992](https://github.com/linkerd/linkerd2-proxy/pull/992)
3038 to support requests without `l5d-dst-override` in ingress-mode proxies
3039* Fixed an issue in the proxy to prevent timeouts with controller clients
3040 of components with more than one replica
3041* Fixed `linkerd check --proxy` failure with pods that are part of Jobs
3042* Updated `viz install` to also include ServiceProfiles of its components.
3043 As a side-effect, `linkerd diagnostics install-sp` cmd has been removed
3044* Added support for Kubernetes resource aware tab completion for all
3045 viz commands
3046* Updated destination to prefer `ServiceProfile.dstOverrides` over
3047 `TrafficSplit` when both are present for a service
3048* Added toggle flags for `collector` and `jaeger` components in the
3049 jaeger extension (thanks @tarvip!)
3050* Added support for setting `nodeselector`, `toleration` fields for components
3051 in the Viz extension (thanks @aatarasoff!)
3052* Fixed a templating issue in Viz, making `podAnnotations` field
3053 work with prometheus
3054* Updated Golang version to 1.16.4
3055* Removed unnecessary `--addon-overwrite` flag in `linkerd upgrade`
3056
3057## edge-21.5.2
3058
3059This edge release updates the proxy-init container to check whether the iptables
3060rules have already been added, which prevents errors if the proxy-init container
3061is restarted. Also, the `viz stat` command now has tab completion for Kubernetes
3062resources, saving you precious keystrokes! Finally, the proxy has been updated
3063with several fixes and improvements.
3064
3065* Added instructions to `build.md` for using a locally built proxy
3066 (thanks @jroper!)
3067* Added support for Kubernetes resource aware tab completion to the `viz stat`
3068 command
3069* Updated `proxy-init` to skip configuring firewall if rules exists
3070* Fixed `viz uninstall` to delete all RBAC objects (thanks @aryan9600!)
3071* Improved diagnostics for rejected profile discovery
3072* Added the `l5d-client-id` header on mutually-authenticated inbound requests so
3073 that applications can discover the client's identity.
3074* Reduced proxy resource usage when there are no profiles
3075* Changed the admin server to assume all meshed connections are HTTP/2 and fail
3076 connections when that is not the case
3077* Updated the proxy to require the `l5d-dst-override` header on outbound
3078 requests when the proxy is in ingress-mode
3079* Removed support for TCP-forwarding in ingress-mode
3080
3081## edge-21.5.1
3082
3083This edge release adds support for versioned hint URLs in `linkerd check` and
3084support for traffic splitting through ServiceProfiles, among other fixes and
3085improvements. Additionally, more options have been added to the
3086linkerd-multicluster and linkerd-jaeger helm charts.
3087
3088* Added support for traffic splitting through a ServiceProfile's `dstOverrides`
3089 field.
3090* Added `nodePorts` option to the multicluster helm chart (thanks @psmit!).
3091* Added `nodeSelector` and toleration options to the linkerd-jaeger helm chart
3092 (thanks @aatarasoff!).
3093* Added versioned hint URLs to the CLI `check` command when encountering an
3094 error; each major CLI version will now point to that version's relevant
3095 section in the Linkerd troubleshooting page.
3096* Fixed an issue in the CLI `check` command where error messages for
3097 healthchecks that were being retried would be outputted repeatedly instead of
3098 just once.
3099* Fixed an issue in the proxy injector where a namespace annotated with opaque
3100 ports would overwrite all service annotations.
3101* Fixed a regression in the proxy that caused all logs to be output with ANSI
3102 control characters, by default logs are output in plaintext now.
3103* Simplified proxy internals in order to distinguish endpoint-forwarding logic
3104 from the handling of load balanced services.
3105* Simplified the ingress-mode outbound proxy by requiring the
3106 `l5d-dst-override` header and by failing non-HTTP communication. Proxies
3107 running in ingress-mode will not unexpectedly revert to insecure
3108 communication as a result.
3109
3110## edge-21.4.5
3111
3112This edge release adds a new output format `short` for `linkerd check` to show a
3113summary of the check output. This release also includes various proxy bug fixes
3114and improvements.
3115
3116* Proxy
3117 * Fixed a task leak that would be triggered when clients disconnect a
3118 service in failfast.
3119 * Improved admin server protocol detection so that error messages are
3120 more descriptive about the underlying problem.
3121 * Fixed panics found in fuzz testing. These panics were extremely
3122 unlikely to occur in practice and would require very specific
3123 configuration overrides to be triggered.
3124* CLI
3125 * Added support for a new `short` format for the `--output` flag of the `check`
3126 command to show a summary of check results
3127
3128## edge-21.4.4
3129
3130This edge release further consolidates the control plane by removing the
3131linkerd-controller deployment and moving the sp-validator container into the
3132destination deployment.
3133
3134Annotation inheritance has been added so that all Linkerd annotations
3135on a namespace resource will be inherited by pods within that namespace.
3136In addition, the `config.linkerd.io/proxy-await` annotation has been added which
3137enables the [linkerd-await](https://github.com/linkerd/linkerd-await)
3138functionality by default, simplifying the implementation of the await behavior.
3139Setting the annotation value to disabled will prevent this behavior.
3140
3141Some of the `linkerd check` functionality has been updated. The command
3142ensures that annotations and labels are properly located in the YAML and adds
3143proxy checks for the control plane and extension pods.
3144
3145Finally, the nginx container has been removed from the Multicluster gateway pod,
3146which will impact upgrades. Please see the note below.
3147
3148**Upgrade note:** When the Multicluster extension is updated in both of the
3149source and target clusters there won't be any downtime because this change only
3150affects the readiness probe. The multicluster links must be re-generated with
3151the `linkerd mc link` command and the `linkerd mc gateways` will show
3152the target cluster as not alive until the `linkerd mc link` command is re-run,
3153however that shouldn't affect existing endpoints pointing to the target cluster.
3154
3155* Added proxy checks for core control plane and extension pods
3156* Added support for awaiting proxy readiness using an annotation
3157* Added namespace annotation inheritance to pods
3158* Removed the linkerd-controller pod
3159* Moved sp-validator container into the destination deployment
3160* Added check verifying that labels and annotations are not mixed up
3161 (thanks @szymongib)
3162* Enabled support for extra initContainers to the linkerd-cni daemonset
3163 (thanks @mhulscher!)
3164* Removed nginx container from multicluster gateway pod
3165* Added an error message when there is nothing to uninstall
3166
3167## stable-2.10.1
3168
3169This stable release adds CLI support for Apple Silicon M1 chips and support for
3170SMI's TrafficSplit `v1alpha2`.
3171
3172There are several proxy fixes: handling `FailedPrecondition` errors gracefully,
3173inbound TLS detection from non-meshed workloads, and using the correct cached
3174client when the proxy is in ingress mode. The logging infrastructure has also
3175been improved to reduce memory pressure in high-connection environments.
3176
3177On the control-plane side, there have been several improvements to the
3178destination service such as support for Host IP lookups and ignoring pods
3179in "Terminating" state. It also updates the proxy-injector to add opaque ports
3180annotation to pods if their namespace has it set.
3181
3182On the CLI side, `linkerd repair` has been updated to be aware about the control-plane
3183version and suggest the relevant version to generate the right config. Various
3184bugs have been fixed around `linkerd identity`, etc.
3185
3186**Upgrade notes**: Please refer [2.10 upgrade instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2100)
3187if you are upgrading from `2.9.x` or below versions.
3188
3189* Proxy:
3190 * Fixed an issue where proxies could infinitely retry failed requests to the
3191 `destination` controller when it returned a `FailedPrecondition`
3192 * The proxy's logging infrastructure has been updated to reduce memory pressure
3193 in high-connection environments.
3194 * Fixed a caching issue in the outbound proxy that would cause it to
3195 forward traffic to the wrong pod when running in ingress mode.
3196 * Fixed an issue where inbound TLS detection from non-meshed workloads
3197 could break
3198 * Fixed an issue where the admin server's HTTP detection would fail and
3199 not recover; these are now handled gracefully and without logging warnings
3200 * Control plane proxies no longer emit warnings about the resolution stream ending.
3201 This error was innocuous.
3202 * Bumped the proxy-init image to v1.3.11 which updates the go version to be 1.16.2
3203
3204* Control Plane:
3205 * Fixed an issue where the destination service would respond with too big of a
3206 header and result in http2 protocol errors
3207 * Fixed an issue where the destination control plane component sometimes returned
3208 endpoint addresses with a 0 port number while pods were undergoing a rollout
3209 (thanks @riccardofreixo!)
3210 * Fixed an issue where pod lookups by host IP and host port fail even though
3211 the cluster has a matching pod
3212 * Updated the IP Watcher in destination to ignore pods in "Terminating" state
3213 (thanks @Wenliang-CHEN!)
3214 * Modified the proxy-injector to add the opaque ports annotation to pods
3215 if their namespace has it set
3216 * Added Support for TrafficSplit `v1alpha2`
3217 * Updated all the control-plane components to use go `1.16.2`.
3218
3219* CLI:
3220 * Fixed an issue where the linkerd identity command returned the root
3221 certificate of a pod instead of its leaf certificates
3222 * Fixed an issue where the destination service would respond with too
3223 big of a header and result in http2 protocol errors
3224 * Updated the release process to build Linkerd CLI binaries for Apple
3225 Silicon M1 chips
3226 * Improved error messaging when trying to install Linkerd on a cluster
3227 that already had Linkerd installed
3228 * Added a loading spinner to the linkerd check command when running
3229 extension checks
3230 * Added installNamespace toggle in the jaeger extension's install.
3231 (thanks @jijeesh!)
3232 * Updated healthcheck pkg to have hintBaseURL configurable, useful
3233 for external extensions using that pkg
3234 * Fixed TCP read and write bytes/sec calculations to group by label
3235 based off inbound or outbound traffic
3236 * Fixed an issue in linkerd inject where the wrong annotation would
3237 be added when using --ingress flag
3238 * Updated `linkerd repair` to be aware of the client and server versions
3239 * Updated `linkerd uninstall` to print error message when there are no
3240 resources to uninstall.
3241
3242* Helm:
3243 * Aligned the Helm installation heartbeat schedule to match that of the CLI
3244
3245* Viz:
3246 * Fixed an issue where the topology graph in the dashboard was no
3247 longer draggable.
3248 * Updated dashboard build to use webpack v5
3249 * Added CA certs to the Viz extension's metrics-api container so
3250 that it can validate the certificate of an external Prometheus
3251 * Removed components from the control plane dashboard that now
3252 are part of the Viz extension
3253 * Changed web's base image from debian to scratch
3254
3255* Multicluster:
3256 * Fixed an issue with Multicluster's service mirror where its endpoint
3257 repair retries were not properly rate limited
3258
3259* Jaeger:
3260 * Fixed components in the Jaeger extension to set the correct Prometheus
3261 scrape values
3262
3263## edge-21.4.3
3264
3265This edge supersedes `edge-21.4.2` as a release candidate for `stable-2.10.1`!
3266
3267This release adds support for TrafficSplit `v1alpha2`. Additionally, It includes
3268improvements to the web and `proxy-init` images.
3269
3270* Added Support for TrafficSplit `v1alpha2`
3271* Changed web base image from debian to scratch
3272* Bumped the `proxy-init` image to `v1.3.11` which updates
3273 the go version to be `1.16.2`
3274
3275## edge-21.4.2
3276
3277This edge release is another candidate for `stable-2.10.1`!
3278
3279It includes some CLI fixes and addresses an issue where the outbound proxy
3280would forward traffic to the wrong pod when running in ingress mode.
3281
3282Thank you to all of our users that have helped test and identify issues in 2.10!
3283
3284* Fixed an issue in `linkerd inject` where the wrong annotation would be
3285 added when using `--ingress` flag
3286* Fixed a nil pointer dereference in `linkerd repair` caused by a mismatch
3287 between CLI and server versions
3288* Removed an unnecessary error handling condition in multicluster check
3289 (thanks @wangchenglong01!)
3290* Fixed a caching issue in the outbound proxy that would cause it to
3291 forward traffic to the wrong pod when running in ingress mode.
3292* Removed unsupported `matches` field from TrafficSplit CRD
3293
3294## edge-21.4.1
3295
3296This is a release candidate for `stable-2.10.1`!
3297
3298This includes several fixes for the core installation as well the Multicluster,
3299Jaeger, and Viz extensions. There are two significant proxy fixes that address
3300TLS detection and admin server failures.
3301
3302Thanks to all our 2.10 users who helped discover these issues!
3303
3304* Fixed TCP read and write bytes/sec calculations to group by label based off
3305 inbound or outbound traffic
3306* Updated dashboard build to use webpack v5
3307* Modified the proxy-injector to add the opaque ports annotation to pods if
3308 their namespace has it set
3309* Added CA certs to the Viz extension's `metrics-api` container so that it can
3310 validate the certificate of an external Prometheus
3311* Fixed an issue where inbound TLS detection from non-meshed workloads could
3312 break
3313* Fixed an issue where the admin server's HTTP detection would fail and not
3314 recover; these are now handled gracefully and without logging warnings
3315* Aligned the Helm installation heartbeat schedule to match that of the CLI
3316* Fixed an issue with Multicluster's service mirror where it's endpoint repair
3317 retries were not properly rate limited
3318* Removed components from the control plane dashboard that now are part of the
3319 Viz extension
3320* Fixed components in the Jaeger extension to set the correct Prometheus scrape
3321 values
3322
3323## edge-21.3.4
3324
3325This release fixes some issues around publishing of CLI binary
3326for Apple Silicon M1 Chips. This release also includes some fixes and
3327improvements to the dashboard, destination, and the CLI.
3328
3329* Fixed an issue where the topology graph in the dashboard was no longer
3330 draggable
3331* Updated the IP Watcher in destination to ignore pods in "Terminating" state
3332 (thanks @Wenliang-CHEN!)
3333* Added `installNamespace` toggle in the jaeger extension's install.
3334 (thanks @jijeesh!)
3335* Updated `healthcheck` pkg to have `hintBaseURL` configurable, useful
3336 for external extensions using that pkg
3337* Added multi-arch support for RabbitMQ integration tests (thanks @barkardk!)
3338
3339## edge-21.3.3
3340
3341This release includes various bug fixes and improvements to the CLI, the
3342identity and destination control plane components as well as the proxy. This
3343release also ships with a new CLI binary for Apple Silicon M1 chips.
3344
3345* Added new RabbitMQ integration tests (thanks @barkardk!)
3346* Updated the Go version to 1.16.2
3347* Fixed an issue where the `linkerd identity` command returned the root
3348 certificate of a pod instead of its leaf certificate
3349* Fixed an issue where the destination service would respond with too big of a
3350 header and result in http2 protocol errors
3351* Updated the release process to build Linkerd CLI binaries for Apple Silicon
3352 M1 chips
3353* Improved error messaging when trying to install Linkerd on a cluster that
3354 already had Linkerd installed
3355* Fixed an issue where the `destination` control plane component sometimes
3356 returned endpoint addresses with a `0` port number while pods were
3357 undergoing a rollout (thanks @riccardofreixo!)
3358* Added a loading spinner to the `linkerd check` command when running extension
3359 checks
3360* Fixed an issue where pod lookups by host IP and host port fail even though
3361 the cluster has a matching pod
3362* Control plane proxies no longer emit warnings about the resolution stream
3363 ending. This error was innocuous.
3364* Fixed an issue where proxies could infinitely retry failed requests to the
3365 `destination` controller when it returned a `FailedPrecondition`
3366* The proxy's logging infrastructure has been updated to reduce memory pressure
3367 in high-connection environments.
3368
3369## stable-2.10.0
3370
3371This release introduces Linkerd extensions. The default control plane no longer
3372includes Prometheus, Grafana, the dashboard, or several other components that
3373previously shipped by default. This results in a much smaller and simpler set
3374of core functionalities. Visibility and metrics functionality is now available
3375in the Viz extension under the `linkerd viz` command. Cross-cluster
3376communication functionality is now available in the Multicluster extension
3377under the `linkerd multicluster` command. Distributed tracing functionality is
3378now available in the Jaeger extension under the `linkerd jaeger` command.
3379
3380This release also introduces the ability to mark certain ports as "opaque",
3381indicating that the proxy should treat the traffic as opaque TCP instead of
3382attempting protocol detection. This allows the proxy to provide TCP metrics
3383and mTLS for server-speaks-first protocols. It also enables support for
3384TCP traffic in the Multicluster extension.
3385
3386**Upgrade notes**: Please see the [upgrade
3387instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2100).
3388
3389* Proxy
3390 * Updated the proxy to use TLS version 1.3; support for TLS 1.2 remains
3391 enabled for compatibility with prior proxy versions
3392 * Improved support for server-speaks-first protocols by allowing ports to be
3393 marked as opaque, causing the proxy to skip protocol detection. Ports can
3394 be marked as opaque by setting the `config.linkerd.io/opaque-ports`
3395 annotation on the Pod and Service or by using the `--opaque-ports` flag with
3396 `linkerd inject`
3397 * Ports `25,443,587,3306,5432,11211` have been removed from the default skip
3398 ports; all traffic through those ports is now proxied and handled opaquely
3399 by default
3400 * Fixed an issue that could cause proxies in "ingress mode"
3401 (`linkerd.io/inject: ingress`) to use an excessive amount of memory
3402 * Improved diagnostic logging around "fail fast" and "max-concurrency
3403 exhausted" error messages
3404 * Added a new `/shutdown` admin endpoint that may only be accessed over the
3405 loopback network allowing batch jobs to gracefully terminate the proxy on
3406 completion
3407
3408* Control Plane
3409 * Removed all components and functionality related to visibility, tracing,
3410 or multicluster. These have been moved into extensions
3411 * Changed the identity controller to receive the trust anchor via environment
3412 variable instead of by flag; this allows the certificate to be loaded from a
3413 config map or secret (thanks @mgoltzsche!)
3414 * Added PodDisruptionBudgets to the control plane components so that they
3415 cannot be all terminated at the same time during disruptions
3416 (thanks @tustvold!)
3417
3418* CLI
3419 * Changed the `check` command to include each installed extension's `check`
3420 output; this allows users to check for proper configuration and installation
3421 of Linkerd without running a command for each extension
3422 * Moved the `metrics`, `endpoints`, and `install-sp` commands into subcommands
3423 under the `diagnostics` command
3424 * Added an `--opaque-ports` flag to `linkerd inject` to easily mark ports
3425 as opaque.
3426 * Added the `repair` command which will repopulate resources needed for
3427 properly upgrading a Linkerd installation
3428 * Added Helm-style `set`, `set-string`, `values`, `set-files` customization
3429 flags for the `linkerd install` and `linkerd upgrade` commands
3430 * Introduced the `linkerd identity` command, used to fetch the TLS certificates
3431 for injected pods (thanks @jimil749)
3432 * Removed the `get` and `logs` command from the CLI
3433
3434* Helm
3435 * Changed many Helm values, please see the upgrade notes
3436
3437* Viz
3438 * Introduced the `linkerd viz` subcommand which contains commands for
3439 installing the viz extension and all visibility commands
3440 * Updated the Web UI to only display the "Gateway" sidebar link when the
3441 multicluster extension is active
3442 * Added a `linkerd viz list` command to list pods with tap enabled
3443 * Fixed an issue where the `tap` APIServer would not refresh its certs
3444 automatically when provided externally—like through cert-manager
3445
3446* Multicluster
3447 * Introduced the `linkerd multicluster` subcommand which contains commands for
3448 installing the multicluster extension and all multicluster commands
3449 * Added support for cross-cluster TCP traffic
3450 * Updated the service mirror controller to copy the
3451 `config.linkerd.io/opaque-ports` annotation when mirroring services so that
3452 cross-cluster traffic can be correctly handled as opaque
3453 * Added support for multicluster gateways of types other than LoadBalancer
3454 (thanks @DaspawnW!)
3455
3456* Jaeger
3457 * Introduced the `linkerd jaeger` subcommand which contains commands for
3458 installing the jaeger extension and all tracing commands
3459 * Added a `linkerd jaeger list` command to list pods with tracing enabled
3460
3461This release includes changes from a massive list of contributors. A special
3462thank-you to everyone who helped make this release possible:
3463[Lutz Behnke](https://github.com/cypherfox)
3464[Björn Wenzel](https://github.com/DaspawnW)
3465[Filip Petkovski](https://github.com/fpetkovski)
3466[Simon Weald](https://github.com/glitchcrab)
3467[GMarkfjard](https://github.com/GMarkfjard)
3468[hodbn](https://github.com/hodbn)
3469[Hu Shuai](https://github.com/hs0210)
3470[Jimil Desai](https://github.com/jimil749)
3471[jiraguha](https://github.com/jiraguha)
3472[Joakim Roubert](https://github.com/joakimr-axis)
3473[Josh Soref](https://github.com/jsoref)
3474[Kelly Campbell](https://github.com/kellycampbell)
3475[Matei David](https://github.com/mateiidavid)
3476[Mayank Shah](https://github.com/mayankshah1607)
3477[Max Goltzsche](https://github.com/mgoltzsche)
3478[Mitch Hulscher](https://github.com/mhulscher)
3479[Eugene Formanenko](https://github.com/mo4islona)
3480[Nathan J Mehl](https://github.com/n-oden)
3481[Nicolas Lamirault](https://github.com/nlamirault)
3482[Oleh Ozimok](https://github.com/oleh-ozimok)
3483[Piyush Singariya](https://github.com/piyushsingariya)
3484[Naga Venkata Pradeep Namburi](https://github.com/pradeepnnv)
3485[rish-onesignal](https://github.com/rish-onesignal)
3486[Shai Katz](https://github.com/shaikatz)
3487[Takumi Sue](https://github.com/tkms0106)
3488[Raphael Taylor-Davies](https://github.com/tustvold)
3489[Yashvardhan Kukreja](https://github.com/yashvardhan-kukreja)
3490
3491## edge-21.3.2
3492
3493This edge release is another release candidate for stable 2.10 and fixes some
3494final bugs found in testing. A big thank you to users who have helped us
3495identity these issues!
3496
3497* Fixed an issue with the service profile validating webhook that prevented
3498 service profiles from being added or updated
3499* Updated the `check` command output hint anchors to match Linkerd component
3500 names
3501* Fixed a permission issue with the Viz extension's tap admin cluster role by
3502 adding namespace listing to the allowed actions
3503* Fixed an issue with the proxy where connections would not be torn down when
3504 communicating with a defunct endpoint
3505* Improved diagnostic logging in the proxy
3506* Fixed an issue with the Viz extension's Prometheus template that prevented
3507 users from specifying a log level flag for that component (thanks @n-oden!)
3508* Fixed a template parsing issue that prevented users from specifying additional
3509 ignored inbound parts through Helm's `--set` flag
3510* Fixed an issue with the proxy where non-HTTP streams could sometimes hang due
3511 to TLS buffering
3512
3513## edge-21.3.1
3514
3515This edge release is another release candidate, bringing us closer to
3516`stable-2.10.0`! It fixes the Helm install/upgrade procedure and ships some new
3517CLI commands, among other improvements.
3518
3519* Fixed Helm install/upgrade, which was failing when not explicitly setting
3520 `proxy.image.version`
3521* Added a warning in the dashboard when viewing tap streams from resources that
3522 don't have tap enabled
3523* Added the command `linkerd viz list` to list meshed pods and indicate which can
3524 be tapped, which need to be restarted before they can be tapped, and which
3525 have tap disabled
3526* Similarly, added the command `linkerd jaeger list` to list meshed pods and
3527 indicate which will participate in tracing
3528* Added the `--opaque-ports` flag to `linkerd inject` to specify the list of
3529 opaque ports when injecting pods (and services)
3530* Simplified the output of `linkerd jaeger check`, combining the checks for the
3531 status of each component into a single check
3532* Changed the destination component to receive the list of default opaque ports
3533 set during install so that it's properly reflected during discovery
3534* Moved the level of the proxy server's I/O-related "Connection closed" messages
3535 from info to debug, which were not providing actionable information
3536
3537## edge-21.2.4
3538
3539This edge is a release candidate for `stable-2.10.0`! It wraps up the functional
3540changes planned for the upcoming stable release. We hope you can help us test
3541this in your staging clusters so that we can address anything unexpected before
3542an official stable.
3543
3544This release introduces support for CLI extensions. The Linkerd `check` command
3545will now invoke each extension's `check` command so that users can check the
3546health of their Linkerd installation and extensions with one command. Additional
3547documentation will follow for developers interested in creating extensions.
3548
3549Additionally, there is no longer a default list of ports skipped by the proxy.
3550These ports have been moved to opaque ports, meaning protocols like MySQL will
3551be encrypted by default and without user input.
3552
3553* Cleaned up entries in `values.yaml` by removing `do not edit` entries; they
3554 are now hardcoded in the templates
3555* Added the count of service profiles installed in a cluster to the Heartbeat
3556 metrics
3557* Fixed CLI commands which would unnecessarily print usage instructions after
3558 encountering API errors (thanks @piyushsingariya!)
3559* Fixed the `install` command so that it errors after detecting there is an
3560 existing Linkerd installation in the cluster
3561* Changed the identity controller to receive the trust anchor via environment
3562 variable instead of by flag; this allows the certificate to be loaded from a
3563 config map or secret (thanks @mgoltzsche!)
3564* Updated the proxy to use TLS version 1.3; support for TLS 1.2 remains enabled
3565 for compatibility with prior proxy versions
3566* The opaque ports annotation is now supported on services and enables users to
3567 use this annotation on mirrored services in multicluster installations
3568* Reverted the renaming of the `mirror.linkerd.io` label
3569* Ports `25,443,587,3306,5432,11211` have been removed from the default skip
3570 ports; all traffic through those ports is now proxied and handled opaquely by
3571 default
3572* Errors configuring the firewall in CNI are propagated so that they can be
3573 handled by the user
3574* Removed Viz extension warnings from the `check --proxy` command when tap is
3575 not configured for pods; this is now handled by the `viz tap` command
3576* Added support for CLI extensions as well as ensuring their `check` commands
3577 are invoked by Linkerd's `check` command
3578* Moved the `metrics`, `endpoints`, and `install-sp` commands into subcommands
3579 under the `diagnostics` command.
3580* Removed the `linkerd-` prefix from non-cluster scoped resources in the Viz and
3581 Jaeger extensions
3582* Added the linkerd-await helper to all Linkerd containers so that the proxy can
3583 initialize before the components start making outbound connections
3584* Removed the `tcp_connection_duration_ms` histogram from the metrics export to
3585 fix high cardinality issues that surfaced through high memory usage
3586
3587## edge-21.2.3
3588
3589This release wraps up most of the functional changes planned for the upcoming
3590`stable-2.10.0` release. Try this edge release in your staging cluster and
3591let us know if you see anything unexpected!
3592
3593* **Breaking change**: Changed the multicluster `Service`-export annotation
3594 from `mirror.linkerd.io/exported` to `multicluster.linkerd.io/export`
3595* Updated the proxy-injector to to set the `config.linkerd.io/opaque-ports`
3596 annotation on newly-created `Service` objects when the annotation is set on
3597 its parent `Namespace`
3598* Updated the proxy-injector to ignore pods that have disabled
3599 `automountServiceAccountToken` (thanks @jimil749)
3600* Updated the proxy to log warnings when control plane components are
3601 unresolveable
3602* Updated the Destination controller to cache node topology metadata (thanks
3603 @fpetkovski)
3604* Updated the CLI to handle API errors without printing the CLI usage (thanks
3605 @piyushsingariya)
3606* Updated the Web UI to only display the "Gateway" sidebar link when the
3607 multicluster extension is active
3608* Fixed the Web UI on Chrome v88 (thanks @kellycampbell)
3609* Improved `install` and `uninstall` behavior for extensions to prevent
3610 control-plane components from being left in a broken state
3611* Docker images are now hosted on the `cr.l5d.io` registry
3612* Updated base docker images to buster-20210208-slim
3613* Updated the Go version to 1.14.15
3614* Updated the proxy to prevent outbound connections to localhost to protect
3615 against traffic loops
3616
3617## edge-21.2.2
3618
3619This edge release introduces support for multicluster TCP!
3620
3621The `repair` command was added which will repopulate resources needed for
3622upgrading from a `2.9.x` installation. There will be an error message during the
3623upgrade process indicating that this command should be run so that users do not
3624need to guess.
3625
3626Lastly, it contains a breaking change for Helm users. The `global` field has
3627been removed from the Helm chart now that it is no longer needed. Users will
3628need to pass in the identity certificates again—along with any other
3629customizations, no longer rooted at `global`.
3630
3631* **Breaking change**: Removed the `Global` field from the Linkerd Helm chart
3632 now that it is unused because of the extension model
3633* Added the `repair` command which will repopulate resources needed for properly
3634 upgrading a Linkerd installation
3635* Fixed the spelling of the `sidecarContainers` key in the Viz extension Helm
3636 chart to match that of the template (thanks @n-oden!)
3637* Added the `tapInjector.logLevel` key to the Viz extension helm chart so that
3638 the log level of the component can be configured
3639* Removed the `--disable-tap` flag from the `inject` command now that tap is no
3640 longer part of the core installation (thanks @mayankshah1607!)
3641* Changed proxy configuration to use fully-qualified DNS names to avoid extra
3642 search paths in DNS resolutions
3643* Changed the `check` command to include each installed extension's `check`
3644 output; this allows users to check for proper configuration and installation
3645 of Linkerd without running a command for each extension
3646* Added proxy support for TCP traffic to the multicluster gateways
3647
3648## edge-21.2.1
3649
3650This edge release continues improving the proxy's diagnostics and also avoids
3651timing out when the HTTP protocol detection fails. Additionally, old resource
3652versions were upgraded to avoid warnings in k8s v1.19. Finally, it comes with
3653lots of CLI improvements detailed below.
3654
3655* Improved the proxy's diagnostic metrics to help us get better insights into
3656 services that are in fail-fast
3657* Improved the proxy's HTTP protocol detection to prevent timeout errors
3658* Upgraded CRD and webhook config resources to get rid of warnings in k8s v1.19
3659 (thanks @mateiidavid!)
3660* Added viz components into the Linkerd Health Grafana charts
3661* Had the tap injector add a `viz.linkerd.io/tap-enabled` annotation when
3662 injecting a pod, which allowed providing clearer feedback for the `linkerd
3663 tap` command
3664* Had the jaeger injector add a `jaeger.linkerd.io/tracing-enabled` annotation
3665 when injecting a pod, which also allowed providing better feedback for the
3666 `linkerd jaeger check` command
3667* Improved the `linkerd uninstall` command so it fails gracefully when there
3668 still are injected resources in the cluster (a `--force` flag was provided
3669 too)
3670* Moved the `linkerd profile --tap` functionality into a new command `linkerd
3671 viz profile --tap`, given tap now belongs to the viz extension
3672* Expanded the `linkerd viz check` command to include data-plane checks
3673* Cleaned-up YAML in templates that was incompatible with SOPS (thanks
3674 @tkms0106!)
3675
3676## edge-21.1.4
3677
3678This edge release continues to polish the Linkerd extension model and improves
3679the robustness of the opaque transport.
3680
3681* Improved the consistency of behavior of the `check` commands between
3682 Linkerd extensions
3683* Fixed an issue where Linkerd extension commands could be run before the
3684 extension was fully installed
3685* Renamed some extension Helm charts for consistency:
3686 * jaeger -> linkerd-jaeger
3687 * linkerd2-multicluster -> linkerd-multicluster
3688 * linkerd2-multicluster-link -> linkerd-multicluster-link
3689* Fixed an issue that could cause the inbound proxy to fail meshed HTTP/1
3690 requests from older proxies (from the stable-2.8.x vintage)
3691* Changed opaque-port transport to be advertised via ALPN so that new proxies
3692 will not initiate opaque-transport connections to proxies from prior edge
3693 releases
3694* Added inbound proxy transport metrics with `tls="passthru"` when forwarding
3695 non-mesh TLS connections
3696* Thanks to @hs0210 for adding new unit tests!
3697
3698## edge-21.1.3
3699
3700This edge release improves proxy diagnostics and recovery in situations where
3701the proxy is temporarily unable to route requests. Additionally, the `viz` and
3702`multicluster` CLI sub-commands have been updated for consistency.
3703
3704Full release notes:
3705
3706* Added Helm-style `set`, `set-string`, `values`, `set-files` customization
3707 flags for the `linkerd install` and `linkerd multicluster install` commands
3708* Fixed an issue where `linkerd metrics` could return metrics for the incorrect
3709 set of pods when there are overlapping label selectors
3710* Added tap-injector to linkerd-viz which is responsible for adding the tap
3711 service name environment variable to the Linkerd proxy container
3712* Improved diagnostics when the proxy is temporarily unable to route requests
3713* Made proxy recovery for a service more robust when the proxy is unable to
3714 route requests, even when new requests are being received
3715* Added `client` and `server` prefixes in the proxy logs for socket-level errors
3716 to indicate which side of the proxy encountered the error
3717* Improved jaeger-injector reliability in environments with many resources by
3718 adding watch RBAC permissions
3719* Added check to confirm whether the jaeger-injector pod is in running state
3720 (thanks @yashvardhan-kukreja!)
3721* Fixed a crash in the destination controller when EndpointSlices are enabled
3722 (thanks @oleh-ozimok!)
3723* Added a `linkerd viz check` sub-command to verify the states of the
3724 `linkerd-viz` components
3725* Added a `log-format` flag to optionally output the control plane component log
3726 output as JSON (thanks @mo4islona!)
3727* Updated the logic in the `metrics` and `profile` subcommands to use the
3728 `namespace` specified by the `current-context` of the KUBECONFIG so that it is
3729 no longer necessary to use the `--namespace` flag to query resources in the
3730 current namespace. Queries for resources in namespaces other than the
3731 current namespace still require the `--namespace` flag
3732* Added new pod 'linkerd-metrics-api' set up by `linkerd viz install` that
3733 manages all functionality dependent on Prometheus, thus removing most of the
3734 dependencies on Prometheus from the linkerd core installation
3735* Removed need to have linkerd-viz installed for the
3736 `linkerd multicluster check` command to properly work.
3737
3738## edge-21.1.2
3739
3740This edge release continues the work on decoupling non-core Linkerd components.
3741Commands that use the viz extension i.e, `dashboard`, `edges`, `routes`,
3742`stat`, `tap` and `top` are moved to the `viz` sub-command. These commands are still
3743available under root but are marked as deprecated and will be removed in a
3744later stable release.
3745
3746This release also upgrades the proxy's dependencies to the Tokio v1 ecosystem.
3747
3748* Moved sub-commands that use the viz extension under `viz`
3749* Started ignoring pods with `Succeeded` status when watching IP addresses
3750 in destination. This allows the re-use of IPs of terminated pods
3751* Support Bring your own Jaeger use-case by adding `collector.jaegerAddr` in
3752 the Jaeger extension.
3753* Fixed an issue with the generation of working manifests in the
3754 `podAntiAffinity` use-case
3755* Added support for the modification of proxy resources in the viz
3756 extension through `values.yaml` in Helm and flags in CLI.
3757* Improved error reporting for port-forward logic with namespace
3758 and pod data, used across dashboard, checks, etc
3759 (thanks @piyushsingariya)
3760* Added support to disable the rendering of `linkerd-viz` namespace
3761 resource in the viz extension (thanks @nlamirault)
3762* Made service-profile generation work offline with `--ignore-cluster`
3763 flag (thanks @piyushsingariya)
3764* Upgraded the proxy's dependencies to the Tokio v1 ecosystem
3765
3766## edge-21.1.1
3767
3768This edge release introduces a new "opaque transport" feature that allows the
3769proxy to securely transport server-speaks-first and otherwise opaque TCP
3770traffic. Using the `config.linkerd.io/opaque-ports` annotation on pods and
3771namespaces, users can configure ports that should skip the proxy's protocol
3772detection.
3773
3774Additionally, a new `linkerd-viz` extension has been introduced that separates
3775the installation of the Grafana, Prometheus, web, and tap components. This
3776extension closely follows the Jaeger and multicluster extensions; users can
3777`install` and `uninstall` with the `linkerd viz ..` command as well as configure
3778for HA with the `--ha` flag.
3779
3780The `linkerd viz install` command does not have any cli flags to customize the
3781install directly, but instead follows the Helm way of customization by using
3782flags such as `set`, `set-string`, `values`, `set-files`.
3783
3784Finally, a new `/shutdown` admin endpoint that may only be accessed over the
3785loopback network has been added. This allows batch jobs to gracefully terminate
3786the proxy on completion. The `linkerd-await` utility can be used to automate
3787this.
3788
3789* Added a new `linkerd multicluster check` command to validate that the
3790 `linkerd-multicluster` extension is working correctly
3791* Fixed description in the `linkerd edges` command (thanks @jsoref!)
3792* Moved the Grafana, Prometheus, web, and tap components into a new Viz chart,
3793 following the same extension model that multicluster and Jaeger follow
3794* Introduced a new "opaque transport" feature that allows the proxy to securely
3795 transport server-speaks-first and otherwise opaque TCP traffic
3796* Removed the check comparing the `ca.crt` field in the identity issuer secret
3797 and the trust anchors in the Linkerd config; these values being different is
3798 not a failure case for the `linkerd check` command (thanks @cypherfox!)
3799* Removed the Prometheus check from the `linkerd check` command since it now
3800 depends on a component that is installed with the Viz extension
3801* Fixed error messages thrown by the cert checks in `linkerd check` (thanks
3802 @pradeepnnv!)
3803* Added PodDisruptionBudgets to the control plane components so that they cannot
3804 be all terminated at the same time during disruptions (thanks @tustvold!)
3805* Fixed an issue that displayed the wrong `linkerd.io/proxy-version` when it is
3806 overridden by annotations (thanks @mateiidavid!)
3807* Added support for custom registries in the `linkerd-viz` helm chart (thanks
3808 @jimil749!)
3809* Renamed `proxy-mutator` to `jaeger-injector` in the `linkerd-jaeger` extension
3810* Added a new `/shutdown` admin endpoint that may only be accessed over the
3811 loopback network allowing batch jobs to gracefully terminate the proxy on
3812 completion
3813* Introduced the `linkerd identity` command, used to fetch the TLS certificates
3814 for injected pods (thanks @jimil749)
3815* Fixed an issue with the CNI plugin where it was incorrectly terminating and
3816 emitting error events (thanks @mhulscher!)
3817* Re-added support for non-LoadBalancer service types in the
3818 `linkerd-multicluster` extension
3819
3820## edge-20.12.4
3821
3822This edge release adds support for the `config.linkerd.io/opaque-ports`
3823annotation on pods and namespaces, to configure ports that should skip the
3824proxy's protocol detection. In addition, it adds new CLI commands related to the
3825`linkerd-jaeger` extension, fixes bugs in the CLI `install` and `upgrade`
3826commands and Helm charts, and fixes a potential false positive in the proxy's
3827HTTP protocol detection. Finally, it includes improvements in proxy performance
3828and memory usage, including an upgrade for the proxy's dependency on the Tokio
3829async runtime.
3830
3831* Added support for the `config.linkerd.io/opaque-ports` annotation on pods and
3832 namespaces, to indicate to the proxy that some ports should skip protocol
3833 detection
3834* Fixed an issue where `linkerd install --ha` failed to honor flags
3835* Fixed an issue where `linkerd upgrade --ha` can override existing configs
3836* Added missing label to the `linkerd-config-overrides` secret to avoid breaking
3837 upgrades performed with the help of `kubectl apply --prune`
3838* Added a missing icon to Jaeger Helm chart
3839* Added new `linkerd jaeger check` CLI command to validate that the
3840 `linkerd-jaeger` extension is working correctly
3841* Added new `linkerd jaeger uninstall` CLI command to print the `linkerd-jaeger`
3842 extension's resources so that they can be piped into `kubectl delete`
3843* Fixed an issue where the `linkerd-cni` daemonset may not be installed on all
3844 intended nodes, due to missing tolerations to the `linkerd-cni` Helm chart
3845 (thanks @rish-onesignal!)
3846* Fixed an issue where the `tap` APIServer would not refresh its certs
3847 automatically when provided externally—like through cert-manager
3848* Changed the proxy's cache eviction strategy to reduce memory consumption,
3849 especially for busy HTTP/1.1 clients
3850* Fixed an issue in the proxy's HTTP protocol detection which could cause false
3851 positives for non-HTTP traffic
3852* Increased the proxy's default dispatch timeout to 5 seconds to accommodate
3853 connection pools which might open connections without immediately making a
3854 request
3855* Updated the proxy's Tokio dependency to v0.3
3856
3857## edge-20.12.3
3858
3859This edge release is functionally the same as `edge-20.12.2`. It fixes an issue
3860that prevented the release build from occurring.
3861
3862## edge-20.12.2
3863
3864* Fixed an issue where the `proxy-injector` and `sp-validator` did not refresh
3865 their certs automatically when provided externally—like through cert-manager
3866* Added support for overrides flags to the `jaeger install` command to allow
3867 setting Helm values when installing the Linkerd-jaeger extension
3868* Added missing Helm values to the multicluster chart (thanks @DaspawnW!)
3869* Moved tracing functionality to the `linkerd-jaeger` extension
3870* Fixed various issues in developer shell scripts (thanks @joakimr-axis!)
3871* Fixed an issue where `install --ha` was only partially applying the high
3872 availability config
3873* Updated RBAC API versions in the CNI chart (thanks @glitchcrab!)
3874* Fixed an issue where TLS credentials are changed during upgrades, but the
3875 Linkerd webhooks would not restart, leaving them to use older credentials and
3876 fail requests
3877* Stopped publishing the multicluster link chart as its primary use case is in
3878 the `multicluster link` command and not being installed through Helm
3879* Added service mirror error logs for when the multicluster gateway's hostname
3880 cannot be resolved.
3881
3882## edge-20.12.1
3883
3884This edge release continues the work of decoupling non-core Linkerd components
3885by moving more tracing related functionality into the Linkerd-jaeger extension.
3886
3887* Continued work on moving tracing functionality from the main control plane
3888 into the `linkerd-jaeger` extension
3889* Fixed a potential panic in the proxy when looking up a socket's peer address
3890 while under high load
3891* Added automatic readme generation for charts (thanks @GMarkfjard!)
3892* Fixed zsh completion for the CLI (thanks @jiraguha!)
3893* Added support for multicluster gateways of types other than LoadBalancer
3894 (thanks @DaspawnW!)
3895
3896## edge-20.11.5
3897
3898This edge release improves the proxy's support high-traffic workloads. It also
3899contains the first steps towards decoupling non-core Linkerd components, the
3900first iteration being a new `linkerd jaeger` sub-command for installing tracing.
3901Please note this is still a work in progress.
3902
3903* Addressed some issues reported around clients seeing max-concurrency errors by
3904 increasing the default in-flight request limit to 100K pending requests
3905* Have the proxy appropriately set `content-type` when synthesizing gRPC error
3906 responses
3907* Bumped the `proxy-init` image to `v1.3.8` which is based off of
3908 `buster-20201117-slim` to reduce potential security vulnerabilities
3909* No longer panic in rare cases when `linkerd-config` doesn't have an entry for
3910 `Global` configs (thanks @hodbn!)
3911* Work in progress: the `/jaeger` directory now contains the charts and commands
3912 for installing the tracing component.
3913
3914## edge-20.11.4
3915
3916* Fixed an issue in the destination service where endpoints always included a
3917 protocol hint, regardless of the controller label being present or not
3918
3919## edge-20.11.3
3920
3921This edge release improves support for CNI by properly handling parameters
3922passed to the `nsenter` command, relaxes checks on root and intermediate
3923certificates (following X509 best practices), and fixes two issues: one that
3924prevented installation of the control plane into a custom namespace and one
3925which failed to update endpoint information when a headless service is modified.
3926This release also improves linkerd proxy performance by eliminating unnecessary
3927endpoint resolutions for TCP traffic and properly tearing down serverside
3928connections when errors occur.
3929
3930* Added HTTP/2 keepalive PING frames
3931* Removed logic to avoid redundant TCP endpoint resolution
3932* Fixed an issue where serverside connections were not torn down when an error
3933 occurs
3934* Updated `linkerd check` so that it doesn't attempt to validate the subject
3935 alternative name (SAN) on root and intermediate certificates. SANs for leaf
3936 certificates will continue to be validated
3937* Fixed a CLI issue where the `linkerd-namespace` flag is not honored when
3938 passed to the `install` and `upgrade` commands
3939* Fixed an issue where the proxy does not receive updated endpoint information
3940 when a headless service is modified
3941* Updated the control plane Docker images to use `buster-20201117-slim` to
3942 reduce potential security vulnerabilities
3943* Updated the proxy-init container to `v1.3.7` which fixes CNI issues in certain
3944 environments by properly parsing `nsenter` args
3945
3946## edge-20.11.2
3947
3948This edge release reduces memory consumption of Linkerd proxies which maintain
3949many idle connections (such as Prometheus). It also removes some obsolete
3950commands from the CLI and allows setting custom annotations on multicluster
3951gateways.
3952
3953* Reduced the default idle connection timeout to 5s for outbound clients and
3954 20s for inbound clients to reduce the proxy's memory footprint, especially on
3955 Prometheus instances
3956* Added support for setting annotations on the multicluster gateway in Helm
3957 which allows setting the load balancer as internal (thanks @shaikatz!)
3958* Removed the `get` and `logs` command from the CLI
3959
3960## stable-2.9.0
3961
3962This release extends Linkerd's zero-config mutual TLS (mTLS) support to all TCP
3963connections, allowing Linkerd to transparently encrypt and authenticate all TCP
3964connections in the cluster the moment it's installed. It also adds ARM support,
3965introduces a new multi-core proxy runtime for higher throughput, adds support
3966for Kubernetes service topologies, and lots, lots more, as described below:
3967
3968* Proxy
3969 * Performed internal improvements for lower latencies under high concurrency
3970 * Reduced performance impact of logging, especially when the `debug` or
3971 `trace` log levels are disabled
3972 * Improved error handling for DNS errors encountered when discovering control
3973 plane addresses; this can be common during installation before all
3974 components have been started, allowing linkerd to continue to operate
3975 normally in HA during node outages
3976
3977* Control Plane
3978 * Added support for [topology-aware service
3979 routing](https://kubernetes.io/docs/concepts/services-networking/service-topology/)
3980 to the Destination controller; when providing service discovery updates to
3981 proxies the Destination controller will now filter endpoints based on the
3982 service's topology preferences
3983 * Added support for the new Kubernetes
3984 [EndpointSlice](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/)
3985 resource to the Destination controller; Linkerd can be installed with
3986 `--enable-endpoint-slices` flag to use this resource rather than the
3987 Endpoints API in clusters where this new API is supported
3988
3989* Dashboard
3990 * Added new Spanish translations (please help us translate into your
3991 language!)
3992 * Added new section for exposing multicluster gateway metrics
3993
3994* CLI
3995 * Renamed the `--addon-config` flag to `--config` to clarify this flag can be
3996 used to set any Helm value
3997 * Added fish shell completions to the `linkerd` command
3998
3999* Multicluster
4000 * Replaced the single `service-mirror` controller with separate controllers
4001 that will be installed per target cluster through `linkerd multicluster
4002 link`
4003 * Changed the mechanism for mirroring services: instead of relying on
4004 annotations on the target services, now the source cluster should specify
4005 which services from the target cluster should be exported by using a label
4006 selector
4007 * Added support for creating multiple service accounts when installing
4008 multicluster with Helm to allow more granular revocation
4009 * Added a multicluster `unlink` command for removing multicluster links
4010
4011* Prometheus
4012 * Moved Linkerd's bundled Prometheus into an add-on (enabled by default); this
4013 makes the Linkerd Prometheus more configurable, gives it a separate upgrade
4014 lifecycle from the rest of the control plane, and allows users to
4015 disable the bundled Prometheus instance
4016 * The long-awaited Bring-Your-Own-Prometheus case has been finally addressed:
4017 added `global.prometheusUrl` to the Helm config to have linkerd use an
4018 external Prometheus instance instead of the one provided by default
4019 * Added an option to persist data to a volume instead of memory, so that
4020 historical metrics are available when Prometheus is restarted
4021 * The helm chart can now configure persistent storage and limits
4022
4023* Other
4024 * Added a new `linkerd.io/inject: ingress` annotation and accompanying
4025 `--ingress` flag to the `inject` command, to configure the proxy to support
4026 service profiles and enable per-route metrics and traffic splits for HTTP
4027 ingress controllers
4028 * Changed the type of the injector and tap API secrets to `kubernetes.io/tls`
4029 so they can be provisioned by cert-manager
4030 * Changed default docker image repository to `ghcr.io` from `gcr.io`; **Users
4031 who pull the images into private repositories should take note of this
4032 change**
4033 * Introduced support for authenticated docker registries
4034 * Simplified the way that Linkerd stores its configuration; configuration is
4035 now stored as Helm values in the `linkerd-config` ConfigMap
4036 * Added support for Helm configuration of per-component proxy resources
4037 requests
4038
4039This release includes changes from a massive list of contributors. A special
4040thank-you to everyone who helped make this release possible: [Abereham G
4041Wodajie](https://github.com/Abrishges), [Alexander
4042Berger](https://github.com/alex-berger), [Ali
4043Ariff](https://github.com/aliariff), [Arthur Silva
4044Sens](https://github.com/ArthurSens), [Chris
4045Campbell](https://github.com/campbel), [Daniel
4046Lang](https://github.com/mavrick), [David Tyler](https://github.com/DaveTCode),
4047[Desmond Ho](https://github.com/DesmondH0), [Dominik
4048Münch](https://github.com/muenchdo), [George
4049Garces](https://github.com/jgarces21), [Herrmann
4050Hinz](https://github.com/HerrmannHinz), [Hu Shuai](https://github.com/hs0210),
4051[Jeffrey N. Davis](https://github.com/penland365), [Joakim
4052Roubert](https://github.com/joakimr-axis), [Josh
4053Soref](https://github.com/jsoref), [Lutz Behnke](https://github.com/cypherfox),
4054[MaT1g3R](https://github.com/MaT1g3R), [Marcus Vaal](https://github.com/mvaal),
4055[Markus](https://github.com/mbettsteller), [Matei
4056David](https://github.com/mateiidavid), [Matt
4057Miller](https://github.com/mmiller1), [Mayank
4058Shah](https://github.com/mayankshah1607),
4059[Naseem](https://github.com/naseemkullah), [Nil](https://github.com/c-n-c),
4060[OlivierB](https://github.com/olivierboudet), [Olukayode
4061Bankole](https://github.com/rbankole), [Paul
4062Balogh](https://github.com/javaducky), [Rajat
4063Jindal](https://github.com/rajatjindal), [Raphael
4064Taylor-Davies](https://github.com/tustvold), [Simon
4065Weald](https://github.com/glitchcrab), [Steve
4066Gray](https://github.com/steve-gray), [Suraj
4067Deshmukh](https://github.com/surajssd), [Tharun
4068Rajendran](https://github.com/tharun208), [Wei Lun](https://github.com/WLun001),
4069[Zhou Hao](https://github.com/zhouhao3), [ZouYu](https://github.com/Hellcatlk),
4070[aimbot31](https://github.com/aimbot31),
4071[iohenkies](https://github.com/iohenkies), [memory](https://github.com/memory),
4072and [tbsoares](https://github.com/tbsoares)
4073
4074## edge-20.11.1
4075
4076This edge supersedes edge-20.10.6 as a release candidate for stable-2.9.0.
4077
4078* Fixed issue where the `check` command would error when there is no Prometheus
4079 configured
4080* Fixed recent regression that caused multicluster on EKS to not work properly
4081* Changed the `check` command to warn instead of error when webhook certificates
4082 are near expiry
4083* Added the `--ingress` flag to the `inject` command which adds the recently
4084 introduced `linkerd.io/inject: ingress` annotation
4085* Fixed issue with upgrades where external certs would be fetched and stored
4086 even though this does not happen on fresh installs with externally created
4087 certs
4088* Fixed issue with upgrades where the issuer cert expiration was being reset
4089* Removed the `--registry` flag from the `multicluster install` command
4090* Removed default CPU limits for the proxy and control plane components in HA
4091 mode
4092
4093## edge-20.10.6
4094
4095This edge supersedes edge-20.10.5 as a release candidate for stable-2.9.0. It
4096adds a new `linkerd.io/inject: ingress` annotation to support service profiles
4097and enable per-route metrics and traffic splits for HTTP ingress controllers
4098
4099* Added a new `linkerd.io/inject: ingress` annotation to configure the
4100 proxy to support service profiles and enable per-route metrics and traffic
4101 splits for HTTP ingress controllers
4102* Reduced performance impact of logging in the proxy, especially when the
4103 `debug` or `trace` log levels are disabled
4104* Fixed spurious warnings logged by the `linkerd profile` CLI command
4105
4106## edge-20.10.5
4107
4108This edge supersedes edge-20.10.4 as a release candidate for stable-2.9.0. It
4109adds a fix for updating the destination service when there are no endpoints
4110
4111* Added a fix to clear the EndpointTranslator state when it gets a
4112 `NoEndpoints` message. This ensures that the clients get the correct set of
4113 endpoints during an update.
4114
4115## edge-20.10.4
4116
4117This edge release is a release candidate for stable-2.9.0. For the proxy, there
4118have been changes to improve performance, remove unused code, and configure
4119ports that can be ignored by default. Also, this edge release adds enhancements
4120to the multicluster configuration and observability, adds more translations to
4121the dashboard, and addresses a bug in the CLI.
4122
4123* Added more Spanish translations to the dashboard and more labels that can be
4124 translated
4125* Added support for creating multiple service accounts when installing
4126 multicluster with Helm to allow more granular revocation
4127* Renamed `global.proxy.destinationGetNetworks` to `global.clusterNetworks`.
4128 This is a cluster-wide setting and can no longer be overridden per-pod
4129* Fixed an empty multicluster Grafana graph which used a deprecated label
4130* Added the control plane tracing ServiceAccounts to the linkerd-psp
4131 RoleBinding so that it can be used in environments where PodSecurityPolicy
4132 is enabled
4133* Enhanced EKS support by adding `100.64.0.0/10` to the set of discoverable
4134 networks
4135* Fixed a bug in the way that the `--all-namespaces` flag is handled by the
4136 `linkerd edges` command
4137* Added a default set of ports to bypass the proxy for server-first, https,
4138 and memcached traffic
4139
4140## edge-20.10.3
4141
4142This edge release is a release candidate for stable-2.9.0. It overhauls the
4143discovery and routing logic implemented by the proxy, simplifies the way that
4144Linkerd stores configuration, and adds new Helm values to configure additional
4145labels, annotations, and namespace selectors for webhooks.
4146
4147* Added podLabels and podAnnotations Helm values to allow adding additional
4148 labels or annotations to Linkerd control plane pods (thanks @tustvold!)
4149* Added namespaceSelector Helm value for configuring the namespace selector
4150 used by admission webhooks (thanks @tustvold!)
4151* Expanded the 'linkerd edges' command to show TCP connections
4152* Overhauled the discovery and routing logic implemented by the proxy:
4153 * The `l5d-dst-override` header is no longer honored
4154 * When the application attempts to connect to a pod IP, the proxy no
4155 longer load balances these requests among all pods in the service.
4156 The proxy will now honor session-stickiness as selected by an
4157 application-level load balancer
4158 * `TrafficSplits` are only applied when a client targets a service's IP
4159 * The proxy no longer performs DNS "canonicalization" to translate
4160 relative host header names to a fully-qualified form
4161* Simplified the way that Linkerd stores its configuration. Configuration is
4162 now stored as Helm values in the linkerd-config ConfigMap
4163* Renamed the --addon-config flag to --config to clarify this flag can be used
4164 to set any Helm value
4165
4166## edge-20.10.2
4167
4168This edge release adds more improvements for mTLS for all TCP traffic.
4169It also includes significant internal improvements to the way Linkerd
4170configuration is stored within the cluster.
4171
4172* Changed TCP metrics exported by the proxy to ensure that peer
4173 identities are encoded via the `client_id` and `server_id` labels.
4174* Removed the dependency of control plane components on `linkerd-config`
4175* Updated the data structure `proxy-injector` uses to derive the configuration
4176 used when injecting workloads
4177
4178## edge-20.10.1
4179
4180This edge release includes a couple of external contributions towards
4181improved cert-manager support and Grafana charts fixes, among other
4182enhancements.
4183
4184* Changed the type of the injector and tap API secrets to `kubernetes.io/tls`,
4185 so they can be provisioned by cert-manager (thanks @cypherfox!)
4186* Fixed the "Kubernetes cluster monitoring" Grafana dashboard that had a few
4187 charts with incomplete data (thanks @aimbot31!)
4188* Fixed the `service-mirror` multicluster component so that it retries
4189 connections to the target cluster's Kubernetes API when it's not reachable,
4190 instead of blocking
4191* Increased the proxy's default timeout for DNS resolution to 500ms, as there
4192 were reports that 100ms was too restrictive
4193
4194## edge-20.9.4
4195
4196This edge release introduces support for authenticated docker registries and
4197fixes a recent multicluster regression.
4198
4199* Fixed a regression in multicluster gateway configurations that would forbid
4200 inbound gateway traffic
4201* Upgraded bundled Grafana to v7.1.5
4202* Enabled Jaeger receiver in collector configuration in Helm chart (thanks
4203 @olivierboudet!)
4204* Fixed skip port configuration being skipped in CNI plugin
4205* Introduced support for authenticated docker registries (thanks @c-n-c!)
4206
4207## edge-20.9.3
4208
4209This edge release includes fixes and updates for the control plane and CLI.
4210
4211* Added `--dest-cni-bin-dir` flag to the `linkerd install-cni` command, to
4212 configure the directory on the host where the CNI binary will be placed
4213* Removed `collector.name` and `jaeger.name` config fields from the tracing
4214 addon
4215* Updated Jaeger to 1.19.2
4216* Fixed a warning about deprecated Go packages in controller container logs
4217
4218## edge-20.9.2
4219
4220This edge release continues the work of adding support for mTLS for all TCP
4221traffic and changes the default container registry to `ghcr.io` from `gcr.io`.
4222
4223If you are upgrading from `stable-2.8.x` with the Linkerd CLI using the
4224`linkerd upgrade` command, you must add the `--addon-overwrite` flag to ensure
4225that the grafana image is properly set.
4226
4227* Removed the default timeout for ServiceProfiles so that ServiceProfile routes
4228 behave the same as when there is no ServiceProfile definition
4229* Changed default docker image repository to ghcr.io from gcr.io. **Users who
4230 pull the images into private repositories should take note of this change**
4231* Added endpoint labels to outbound TCP metrics to provide more context and
4232 detail for the metrics, add load balancing to TCP connections
4233 (bypassing kube-proxy), and secure the connection with mTLS when both
4234 endpoints are meshed
4235* Made unnamed ServiceProfile discovery configurable using the
4236 `proxy.destinationGetNetworks` variable to set the
4237 `LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS` variable in the proxy chart
4238 template
4239* Added TLS certificate validation for the Injector, SP Validator, and Tap
4240 webhooks to the `linkerd check` command
4241
4242## edge-20.9.1
4243
4244This edge release contains an important proxy update that allows linkerd to
4245continue to operate normally in HA during node outages. We're also adding full
4246Kubernetes 1.19 support!
4247
4248* Improved the proxy's error handling for DNS errors encountered when
4249 discovering control plane addresses, which can be common during installation,
4250 before all components have been started
4251* The destination and identity services had to be made headless in order to
4252 support that new controller discovery (which now can leverage SRV records)
4253* Use SAN fields when generating the linkerd webhook configs; this completes the
4254 Kubernetes 1.19 support which enforces them
4255* Fixed `linkerd check` for multicluster that was spuriously claiming the
4256 absence of some resources
4257* Improved the injection test cleanup (thanks @zhouhao3!)
4258* Added ability to run the integration test suite using a cluster in an ARM
4259 architecture (thanks @aliariff!)
4260
4261## edge-20.8.4
4262
4263* Fixed a problem causing the `enable-endpoint-slices` flag to not be persisted
4264 when set via `linkerd upgrade` (thanks @Matei207!)
4265* Removed SMI-Metrics templates and experimental sub-commands
4266* Use `--frozen-lockfile` to avoid accidental update of dashboard JS
4267 dependencies in CI (thanks @tharun208!)
4268
4269## edge-20.8.3
4270
4271This edge release adds support for [topology-aware service routing][topology] to
4272the Destination controller. When providing service discovery updates to proxies,
4273the Destination controller will now filter endpoints based on the service's
4274topology preferences. Additionally, this release includes bug fixes for the
4275`linkerd check` CLI command and web dashboard.
4276
4277* CLI
4278 * `linkerd check` will no longer warn about a looser webhook failure policy in
4279 HA mode
4280* Controller
4281 * Added support for [topology-aware service routing][topology] to the Destination
4282 controller (thanks @Matei207)
4283 * Changed the Destination controller to always return destination overrides
4284 for service profiles when no traffic split is present
4285* Web UI
4286 * Fixed Tap `Authority` dropdown not being populated (thanks to @tharun208!)
4287
4288[topology]: https://kubernetes.io/docs/concepts/services-networking/service-topology/
4289
4290## edge-20.8.2
4291
4292This edge release adds an internationalization framework to the dashboard,
4293Spanish translations to the dashboard UI, and a `linkerd multicluster uninstall`
4294command for graceful removal of the multicluster components.
4295
4296* Web UI
4297 * Added Spanish translations to the dashboard
4298 * Added a framework and documentation to simplify creation of new
4299 translations
4300* Multicluster
4301 * Added a multicluster uninstall command
4302 * Added a warning from `linkerd check --multicluster` if the multicluster
4303 support is not installed
4304
4305## edge-20.8.1
4306
4307This edge adds multi-arch support to Linkerd! Our docker images and CLI now
4308support the amd64, arm64, and arm architectures.
4309
4310* Multicluster
4311 * Added a multicluster unlink command for removing multicluster links
4312 * Improved multicluster checks to be more informative when the remote API is
4313 not reachable
4314* Proxy
4315 * Enabled a multi-threaded runtime to substantially improve latency especially
4316 when the proxy is serving requests for many concurrent connections
4317* Other
4318 * Fixed an issue where the debug sidecar image was missing during upgrades
4319 (thanks @javaducky!)
4320 * Updated all control plane plane and proxy container images to be multi-arch
4321 to support amd64, arm64, and arm (thanks @aliariff!)
4322 * Fixed an issue where check was failing when DisableHeartBeat was set to true
4323 (thanks @mvaal!)
4324
4325## edge-20.7.5
4326
4327This edge brings a new approach to multicluster service mirror controllers and
4328the way services in target clusters are selected for mirroring.
4329
4330The long-awaited Bring-Your-Own-Prometheus case has been finally addressed.
4331
4332Many other improvements from our great contributors are described below. Also
4333note progress is still being made under the covers for future support for Service
4334Topologies (by @Matei207) and delivering image builds in multiple platforms (by
4335@aliariff).
4336
4337* Multicluster
4338 * Replaced the single `service-mirror` controller, with separate controllers
4339 that will be installed per target cluster through `linkerd multicluster
4340 link`. More info [here](https://github.com/linkerd/linkerd2/pull/4710).
4341 * Changed the mechanism for mirroring services: instead of relying on
4342 annotations on the target services, now the source cluster should specify
4343 which services from the target cluster should be exported by using a label
4344 selector. More info [here](https://github.com/linkerd/linkerd2/pull/4795).
4345 * Added new section in the dashboard for exposing multicluster gateway metrics
4346 (thanks @tharun208!)
4347* Prometheus
4348 * Added `global.prometheusUrl` to the Helm config to have linkerd use an
4349 external Prometheus instance instead of the one provided by default.
4350 * Added ability to declare sidecar containers in the Prometheus Helm config.
4351 This allows adding components for cases like exporting logs to services
4352 such as Cloudwatch, Stackdriver, Datadog, etc. (thanks @memory!)
4353 * Upgraded Prometheus to the latest version (v2.19.3), which should consume
4354 substantially less memory, among other benefits.
4355* Other
4356 * Fixed bug in `linkerd check` that was failing to wait for Prometheus to be
4357 available right after having installed linkerd.
4358 * Added ability to set `priorityClassName` for CNI DaemonSet pods, and to
4359 install CNI in an existing namespace (both options provided through the CLI
4360 and as Helm configs) (thanks @alex-berger!)
4361 * Added support for overriding the proxy's inbound and outbound TCP connection
4362 timeouts (thanks @mmiller1!)
4363 * Added library support for dashboard i18n. Strings still need to be tagged
4364 and translations to be added. More info
4365 [here](https://github.com/linkerd/linkerd2/pull/4803).
4366 * In some Helm charts, replaced the non-standard
4367 `linkerd.io/helm-release-version` annotation with `checksum/config` for
4368 forcing restarting the component during upgrades (thanks @naseemkullah!)
4369 * Upgraded the proxy init-container to v1.3.4, which comes with an updated
4370 debian-buster distro and will provide cleaner logs listing the iptables
4371 rules applied.
4372
4373## edge-20.7.4
4374
4375This edge release adds support for the new Kubernetes
4376[EndpointSlice](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/)
4377resource to the Destination controller. Using the EndpointSlice API is more
4378efficient for the Kubernetes control plane than using the Endpoints API. If
4379the cluster supports EndpointSlices (a beta feature in Kubernetes 1.17),
4380Linkerd can be installed with `--enable-endpoint-slices` flag to use this
4381resource rather than the Endpoints API.
4382
4383* Added fish shell completions to the `linkerd` command (thanks @WLun001!)
4384* Enabled the support for EndpointSlices (thanks @Matei207!)
4385* Separated Prometheus checks and made them runnable only when the add-on
4386 is enabled
4387
4388## edge-20.7.3
4389
4390* Add preliminary support for EndpointSlices which will be usable in future
4391 releases (thanks @Matei207!)
4392* Internal improvements to the CI process for testing Helm installations
4393
4394## edge-20.7.2
4395
4396This edge release moves Linkerd's bundled Prometheus into an add-on. This makes
4397the Linkerd Prometheus more configurable, gives it a separate upgrade lifecycle
4398from the rest of the control plane, and will allow users to disable the bundled
4399Prometheus instance. In addition, this release includes fixes for several
4400issues, including a regression where the proxy would fail to report OpenCensus
4401spans.
4402
4403* Prometheus is now an optional add-on, enabled by default
4404* Custom tolerations can now be specified for control plane resources when
4405 installing with Helm (thanks @DesmondH0!)
4406* Evicted data plane pods are no longer considered to be failed by `linkerd
4407 check --proxy`, fixing an issue where the check would be retried indefinitely
4408 as long as evicted pods are present
4409* Fixed a regression where proxy spans were not reported to OpenCensus
4410* Fixed a bug where the proxy injector would fail to render skipped port lists
4411 when installed with Helm
4412* Internal improvements to the proxy for lower latencies under high concurrency
4413* Thanks to @Hellcatlk and @surajssd for adding new unit tests and spelling
4414 fixes!
4415
4416## edge-20.7.1
4417
4418This edge release features the option to persist prometheus data to a volume
4419instead of memory, so that historical metrics are available when prometheus is
4420restarted. Additional changes are outlined in the bullet points below.
4421
4422* Some commands like `linkerd stat` would fail if any control plane components
4423 were unhealthy, even when other replicas are healthy. The check conditions
4424 for these commands have been improved
4425* The helm chart can now configure persistent storage for Prometheus
4426 (thanks @naseemkullah!)
4427* The proxy log output format can now be configured to `plain` or `json` using
4428 the `config.linkerd.io/proxy-log-format` annotation or the
4429 `global.proxy.logFormat` value in the helm chart
4430 (thanks again @naseemkullah!)
4431* `linkerd install --addon-config=` now supports URLs in addition to local
4432 files
4433* The CNI Helm chart used the incorrect variable name to determine the `createdBy`
4434 version tag. This is now controlled by `cniPluginVersion` in the helm chart
4435* The proxy's default buffer size has been increased, which reduces latency when
4436 the proxy has many concurrent clients
4437
4438## edge-20.6.4
4439
4440This edge release moves the proxy onto a new version of the Tokio runtime. This
4441allows us to more easily integrate with the ecosystem and may yield performance
4442benefits as well.
4443
4444* Upgraded the proxy's underlying Tokio runtime and its related libraries
4445* Added support for PKCS8 formatted ECDSA private keys
4446* Added support for Helm configuration of per-component proxy resources requests
4447 and limits (thanks @cypherfox!)
4448* Updated the `linkerd inject` command to throw an error while injecting
4449 non-compliant pods (thanks @mayankshah1607)
4450
4451## stable-2.8.1
4452
4453This release fixes multicluster gateways support on EKS.
4454
4455* The multicluster service-mirror has been extended to resolve DNS names for
4456 target clusters when an IP address is not known.
4457* Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger
4458 for providing a fix!
4459* Have the service mirror controller check in `linkerd check` retry on failures.
4460* As of this version we're including a Chocolatey package (Windows) next to the
4461 other binaries in the release assets in GitHub.
4462* Base images have been updated:
4463 * debian:buster-20200514-slim
4464 * grafana/grafana:7.0.3
4465* The shell scripts under `bin` continued to be improved, thanks to @joakimr-axis!
4466
4467## edge-20.6.3
4468
4469This edge release is a release candidate for stable-2.8.1. It includes a fix
4470to support multicluster gateways on EKS.
4471
4472* The `config.linkerd.io/proxy-destination-get-networks` annotation configures
4473 the networks for which a proxy can discover metadata. This is an advanced
4474 configuration option that has security implications.
4475* The multicluster service-mirror has been extended to resolve DNS names for
4476 target clusters when an IP address it not known.
4477* Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger
4478 for providing a fix!
4479* The CLI will be published for Chocolatey (Windows) on future stable releases.
4480* Base images have been updated:
4481 * debian:buster-20200514-slim
4482 * grafana/grafana:7.0.3
4483
4484## stable-2.8.0
4485
4486This release introduces new a multi-cluster extension to Linkerd, allowing it
4487to establish connections across Kubernetes clusters that are secure,
4488transparent to the application, and work with any network topology.
4489
4490* The CLI has a new set of `linkerd multicluster` sub-commands that provide
4491 tooling to create the resources needed to discover services across
4492 Kubernetes clusters.
4493* The `linkerd multicluster gateways` command exposes gateway-specific
4494 telemetry to supplement the existing `stat` and `tap` commands.
4495* The Linkerd-provided Grafana instance remains enabled by default, but it can
4496 now be disabled. When it is disabled, the Linkerd dashboard can be
4497 configured to link to an alternate, externally-managed Grafana instance.
4498* Jaeger & OpenCensus are configurable as an [add-on][addon-2.8.0]; and the
4499 proxy has been improved to emit spans with labels that reflect its pod's
4500 metadata.
4501* The `linkerd-cni` component has been promoted from _experimental_ to
4502 _stable_.
4503* `linkerd profile --open-api` now honors the `x-linkerd-retryable` and
4504 `x-linkerd-timeout` OpenAPI annotations.
4505* The Helm chart continues to become more flexible and modular, with new
4506 Prometheus configuration options. More information is available in the
4507 [Helm chart README][helm-2.8.0].
4508* gRPC stream error handling has been improved so that transport errors
4509 are indicated to the client with a `grpc-status: UNAVAILABLE` trailer.
4510* The proxy's memory footprint could grow significantly when
4511 server-speaks-first-protocol connections hit the proxy. Now, a timeout is
4512 in place to prevent these connections from consuming resources.
4513* After benchmarking the proxy in high-concurrency situations, the inbound
4514 proxy has been improved to reduce contention, improving latency and
4515 reducing spurious timeouts.
4516* The proxy could fail requests to services that had only 1 request every 60
4517 seconds. This race condition has been eliminated.
4518* Finally, users reported that ingress misconfigurations could cause the proxy
4519 to consume an entire CPU which could lead to timeouts. The proxy now
4520 attempts to prevent the most common traffic-loop scenarios to protect against
4521 this.
4522
4523_**NOTE**_: Linkerd's `multicluster` extension does not yet work on Amazon
4524EKS. We expect to follow this release with a stable-2.8.1 to address this
4525issue. Follow [#4582](https://github.com/linkerd/linkerd2/pull/4582) for updates.
4526
4527This release includes changes from a massive list of contributors. A special
4528thank-you to everyone who helped make this release possible: @aliariff,
4529@amariampolskiy, @arminbuerkle, @arthursens, @christianhuening,
4530@christyjacob4, @cypherfox, @daxmc99, @dr0pdb, @drholmie, @hydeenoble,
4531@joakimr-axis, @jpresky, @kohsheen1234, @lewiscowper, @lundbird, @matei207,
4532@mayankshah1607, @mmiller1, @naseemkullah, @sannimichaelse, & @supra08.
4533
4534[addon-2.8.0]: https://github.com/linkerd/linkerd2/blob/4219955bdb5441c5fce192328d3760da13fb7ba1/charts/linkerd2/README.md#add-ons-configuration
4535[helm-2.8.0]: https://github.com/linkerd/linkerd2/blob/4219955bdb5441c5fce192328d3760da13fb7ba1/charts/linkerd2/README.md
4536
4537## edge-20.6.2
4538
4539This edge release is our second release candidate for `stable-2.8`, including
4540various fixes and improvements around multicluster support.
4541
4542* CLI
4543 * Fixed bad output in the `linkerd multicluster gateways` command
4544 * Improved the error returned when running the CLI with no KUBECONFIG path set
4545 (thanks @Matei207!)
4546* Controller
4547 * Fixed issue where mirror service wasn't created when paired to a gateway
4548 whose external IP wasn't yet provided
4549 * Fixed issue where updating the gateway identity annotation wasn't propagated
4550 back into the mirror gateway endpoints object
4551 * Fixed issue where updating the gateway ports wasn't reflected in the gateway
4552 mirror service
4553 * Increased the log level for some of the service mirror events
4554 * Changed the nginx gateway config so that it runs as non-root and denies all
4555 requests to locations other than the probe path
4556* Web UI
4557 * Fixed multicluster Grafana dashboard
4558* Internal
4559 * Added flag in integration tests to dump fixture diffs into a separate
4560 directory (thanks @cypherfox!)
4561
4562## edge-20.6.1
4563
4564This edge release is a release candidate for `stable-2.8`! It introduces several
4565improvements and fixes for multicluster support.
4566
4567* CLI
4568 * Added multicluster daisy chain checks to `linkerd check`
4569 * Added list of successful gateways in multicluster checks section of `linkerd
4570 check`
4571* Controller
4572 * Renamed `nginx-configuration` ConfigMap to `linkerd-gateway-config` (please
4573 manually remove the former if upgrading from an earlier multicluster
4574 install, thanks @mayankshah1607!)
4575 * Renamed multicluster gateway ports to `mc-gateway` and `mc-probe`
4576 * Fixed Service Profiles routes for `linkerd-prometheus`
4577* Internal
4578 * Fixed shellcheck errors in all `bin/` scripts (thanks @joakimr-axis!)
4579* Helm
4580 * Added support for `linkerd mc allow`
4581 * Added ability to disable secret resources for self-signed certs (thanks
4582 @cypherfox!)
4583* Proxy
4584 * Modified the `linkerd-gateway` component to use the inbound proxy, rather
4585 than nginx, for gateway; this allows Linkerd to detect loops and propagate
4586 identity
4587
4588## edge-20.5.5
4589
4590This edge release adds refinements to the Linkerd multicluster implementation,
4591adds new health checks for the tracing add-on, and addresses an issue in which
4592outbound requests from the proxy result in looping behavior.
4593
4594* CLI
4595 * Added the `multicluster` command along with subcommands to configure and
4596 deploy Linkerd workloads which enable services to be mirrored across
4597 clusters
4598 * Added health-checks for tracing add-on
4599* Proxy
4600 * Added logic to prevent loops in outbound requests
4601
4602## edge-20.5.4
4603
4604* CLI
4605 * Fixed the display of the meshed pod column for non-selector services in
4606 `linkerd stat` output
4607 * Added an `addon-overwrite` upgrade flag which allows users to overwrite the
4608 existing addon config rather than merging into it
4609 * Added a `--close-wait-timeout` inject flag which sets the
4610 `nf_conntrack_tcp_timeout_close_wait` property which can be used to mitigate
4611 connection issues with application that hold half-closed sockets
4612* Controller
4613 * Restricted the service-mirror's RBAC permissions so that it no longer is
4614 able to read secrets in all namespaces
4615 * Moved many multicluster components into the `linkerd-multicluster` namespace
4616 by default
4617 * Added multicluster gateway mirror services to allow multicluster liveness
4618 probes to work in private networks
4619 * Fixed an issue where multicluster gateway mirror services could be
4620 incorrectly deleted during a resync
4621* Internal
4622 * Fixed many style issues in build scripts (thanks @joakimr-axis!)
4623* Helm
4624 * Added `global.grafanaUrl` variable to allow using an existing Grafana
4625 installation
4626
4627## edge-20.5.3
4628
4629* Controller
4630 * Added a Grafana dashboard for tracking multi-cluster traffic metrics
4631 * Added health checks for the Grafana add-on, under a separate section
4632 * Fixed issues when updating a remote multi-cluster gateway
4633
4634* Proxy
4635 * Added special special handling for I/O errors in HTTP responses so that an
4636 `errno` label is included to describe the underlying errors in the proxy's
4637 metrics
4638
4639* Internal
4640 * Started gathering stats of CI runs for aggregating CI health metrics
4641
4642## edge-20.5.2
4643
4644This edge release contains everything required to get up and running with
4645multicluster. For a tutorial on how to do that, check out the
4646[documentation](https://linkerd.io/2/features/multicluster_support/).
4647
4648* CLI
4649 * Added a section to the `linkerd check` that validates that all clusters
4650 part of a multicluster setup have compatible trust anchors
4651 * Modified the `inkerd cluster export-service` command to work by
4652 transforming yaml instead of modifying cluster state
4653 * Added functionality that allows the `linkerd cluster export-service`
4654 command to operate on lists of services
4655* Controller
4656 * Changed the multicluster gateway to always require TLS on connections
4657 originating from outside the cluster
4658 * Removed admin server timeouts from control plane components, thereby
4659 fixing a bug that can cause liveness checks to fail
4660* Helm
4661 * Moved Grafana templates into a separate add-on chart
4662* Proxy
4663 * Improved latency under high-concurrency use cases.
4664
4665## edge-20.5.1
4666
4667* CLI
4668 * Fixed all commands to use kubeconfig's default namespace if specified
4669 (thanks @Matei207!)
4670 * Added multicluster checks to the `linkerd check` command
4671 * Hid development flags in the `linkerd install` command for release builds
4672* Controller
4673 * Added ability to configure Prometheus Alertmanager as well as recording
4674 and alerting rules on the Linkerd Prometheus (thanks @naseemkullah!)
4675 * Added ability to add more commandline flags to the Prometheus command
4676 (thanks @naseemkullah!)
4677* Web UI
4678 * Fixed TrafficSplit detail page not loading
4679 * Added Jaeger links to the dashboard when the tracing addon is enabled
4680* Proxy
4681 * Modified internal buffering to avoid idling out services as a request
4682 arrives, fixing failures for requests that are sent exactly once per
4683 minute--such as Prometheus scrapes
4684
4685## edge-20.4.5
4686
4687This edge release includes several new CLI commands for use with multi-cluster
4688gateways, and adds liveness checks and metrics for gateways. Additionally, it
4689makes the proxy's gRPC error-handling behavior more consistent with other
4690implementations, and includes a fix for a bug in the web UI.
4691
4692* CLI
4693 * Added `linkerd cluster setup-remote` command for setting up a
4694 multi-cluster gateway
4695 * Added `linkerd cluster gateways` command to display stats for
4696 multi-cluster gateways
4697 * Changed `linkerd cluster export-service` to modify a provided YAML file
4698 and output it, rather than mutating the cluster
4699* Controller
4700 * Added liveness checks and Prometheus metrics for multi-cluster gateways
4701 * Changed the proxy injector to configure proxies to do destination lookups
4702 for IPs in the private IP range
4703* Web UI
4704 * Fixed errors when viewing resource detail pages
4705* Internal
4706 * Created script and config to build a Linkerd CLI Chocolatey package for
4707 Windows users, which will be published with stable releases (thanks to
4708 @drholmie!)
4709* Proxy
4710 * Changed the proxy to set a `grpc-status: UNAVAILABLE` trailer when a gRPC
4711 response stream is interrupted by a transport error
4712
4713## edge-20.4.4
4714
4715This edge release fixes a packaging issue in `edge-20.4.3`.
4716
4717_From `edge.20.4.3` release notes_:
4718
4719This edge release adds functionality to the CLI to output more detail and
4720includes changes which support the multi-cluster functionality. Also, the helm
4721support has been expanded to make installation more configurable. Finally, the
4722HA reliability is improved by ensuring that control plane pods are restarted
4723with a rolling strategy
4724
4725* CLI
4726 * Added output to the `linkerd check --proxy` command to list all data plane
4727 pods which are not up-to-date rather than just printing the first one it
4728 encounters
4729 * Added a `--proxy` flag to the `linkerd version` command which lists all
4730 proxy versions running in the cluster and the number of pods running each
4731 version
4732 * Lifted requirement of using --unmeshed for linkerd stat when querying
4733 TrafficSplit resources
4734 * Added support for multi-stage installs with Add-Ons
4735* Controller
4736 * Added a rolling update strategy to Linkerd deployments that have multiple
4737 replicas during HA deployments to ensure that at most one pod begins
4738 terminating before a new pod ready is ready
4739 * Added a new label for the proxy injector to write to the template,
4740 `linkerd.io/workload-ns` which indicates the namespace of the workload/pod
4741* Internal
4742 * Added a [security
4743 policy](https://help.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)
4744 to facilitate conversations around security
4745* Helm
4746 * Changed charts to use downwardAPI to mount labels to the proxy container
4747 making them easier to identify
4748* Proxy
4749 * Changed the Linkerd proxy endpoint for liveness to use the new `/live`
4750 admin endpoint instead of the `/metrics` endpoint, because the `/live`
4751 endpoint returns a smaller payload
4752 * Added a per-endpoint authority-override feature to support multi-cluster
4753 gateways
4754
4755## edge-20.4.3
4756
4757**This release is superseded by `edge-20.4.4`**
4758
4759This edge release adds functionality to the CLI to output more detail and
4760includes changes which support the multi-cluster functionality. Also, the helm
4761support has been expanded to make installation more configurable. Finally, the
4762HA reliability is improved by ensuring that control plane pods are restarted
4763with a rolling strategy
4764
4765* CLI
4766 * Added output to the `linkerd check --proxy` command to list all data plane
4767 pods which are not up-to-date rather than just printing the first one it
4768 encounters
4769 * Added a `--proxy` flag to the `linkerd version` command which lists all
4770 proxy versions running in the cluster and the number of pods running each
4771 version
4772 * Lifted requirement of using --unmeshed for linkerd stat when querying
4773 TrafficSplit resources
4774 * Added support for multi-stage installs with Add-Ons
4775* Controller
4776 * Added a rolling update strategy to Linkerd deployments that have multiple
4777 replicas during HA deployments to ensure that at most one pod begins
4778 terminating before a new pod ready is ready
4779 * Added a new label for the proxy injector to write to the template,
4780 `linkerd.io/workload-ns` which indicates the namespace of the workload/pod
4781* Internal
4782 * Added a [security
4783 policy](https://help.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)
4784 to facilitate conversations around security
4785* Helm
4786 * Changed charts to use downwardAPI to mount labels to the proxy container
4787 making them easier to identify
4788* Proxy
4789 * Changed the Linkerd proxy endpoint for liveness to use the new `/live`
4790 admin endpoint instead of the `/metrics` endpoint, because the `/live`
4791 endpoint returns a smaller payload
4792 * Added a per-endpoint authority-override feature to support multi-cluster
4793 gateways
4794
4795## edge-20.4.2
4796
4797This release brings a number of CLI fixes and Controller improvements.
4798
4799* CLI
4800 * Fixed a bug that caused pods to crash after upgrade if
4801 `--skip-outbound-ports` or `--skip-inbound-ports` were used
4802 * Added `unmeshed` flag to the `stat` command, such that unmeshed resources
4803 are only displayed if the user opts-in
4804 * Added a `--smi-metrics` flag to `install`, to allow installation of the
4805 experimental `linkerd-smi-metrics` component
4806 * Fixed a bug in `linkerd stat`, causing incorrect output formatting when
4807 using the `--o wide` flag
4808 * Fixed a bug, causing `linkerd uninstall` to fail when attempting to delete
4809 PSPs
4810* Controller
4811 * Improved the anti-affinity of `linkerd-smi-metrics` deployment to avoid
4812 pod scheduling problems during `upgrade`
4813 * Improved endpoints change detection in the `linkerd-destination` service,
4814 enabling mirrored remote services to change cluster gateways
4815 * Added `operationID` field to tap OpenAPI response to prevent issues during
4816 upgrade from 2.6 to 2.7
4817* Proxy
4818 * Added a new protocol detection timeout to prevent clients from consuming
4819 resources indefinitely when not sending any data
4820
4821## edge-20.4.1
4822
4823This release introduces some cool new functionalities, all provided by our
4824awesome community of contributors! Also two bugs were fixed that were
4825introduced since edge-20.3.2.
4826
4827* CLI
4828 * Added `linkerd uninstall` command to uninstall the control plane (thanks
4829 @Matei207!)
4830 * Fixed a bug causing `linkerd routes -o wide` to not show the proper actual
4831 success rate
4832* Controller
4833 * Fail proxy injection if the pod spec has `automountServiceAccountToken`
4834 disabled (thanks @mayankshah1607!)
4835* Web UI
4836 * Added a route dashboard to Grafana (thanks @lundbird!)
4837* Proxy
4838 * Fixed a bug causing the proxy's inbound to spuriously return 503 timeouts
4839
4840## edge-20.3.4
4841
4842This release introduces several fixes and improvements to the CLI.
4843
4844* CLI
4845 * Added support for kubectl-style label selectors in many CLI commands
4846 (thanks @mayankshah1607!)
4847 * Fixed the path regex in service profiles generated from proto files
4848 without a package name (thanks @amariampolskiy!)
4849 * Fixed an error when injecting Cronjobs that have no metadata
4850 * Relaxed the clock skew check to match the default node heartbeat interval
4851 on Kubernetes 1.17 and made this check a warning
4852 * Fixed a bug where the linkerd-smi-metrics pod could not be created on
4853 clusters with pod security policy enabled
4854* Internal
4855 * Upgraded tracing components to more recent versions and improved resource
4856 defaults (thanks @Pothulapati!)
4857
4858## edge-20.3.3
4859
4860This release introduces new experimental CLI commands for querying metrics
4861using the Service Mesh Interface (SMI) and for multi-cluster support via
4862service mirroring.
4863
4864If you would like to learn more about service mirroring or SMI, or are
4865interested in experimenting with these features, please join us in [Linkerd
4866Slack](https://slack.linkerd.io) for help and feedback.
4867
4868* CLI
4869 * Added experimental `linkerd cluster` commands for managing multi-cluster
4870 service mirroring
4871 * Added the experimental `linkerd alpha clients` command, which uses the
4872 smi-metrics API to display client-side metrics from each of a resource's
4873 clients
4874 * Added retries to some `linkerd check` checks to prevent spurious failures
4875 when run immediately after cluster creation or Linkerd installation
4876
4877## edge-20.3.2
4878
4879This release introduces substantial proxy improvements as well as new
4880observability and security functionality.
4881
4882* CLI
4883 * Added the `linkerd alpha stat` command, which uses the smi-metrics API;
4884 the latter enables access to metrics to be controlled with RBAC
4885* Controller
4886 * Added support for configuring service profile timeouts
4887 `(x-linkerd-timeout)` via OpenAPI spec (thanks @lewiscowper!)
4888* Web UI
4889 * Improved the Grafana dashboards to use a globing operator for Prometheus
4890 in order to avoid producing queries that are too large (thanks @mmiller1!)
4891* Helm
4892 * Improved the `linkerd2` chart README (thanks @lundbird!)
4893* Proxy
4894 * Fixed a bug that could cause log levels to be processed incorrectly
4895
4896## edge-20.3.1
4897
4898This release introduces new functionality mainly focused around observability
4899and multi-cluster support via `service mirroring`.
4900
4901If you would like to learn more about `service mirroring` or are interested in
4902experimenting with this feature, please join us in [Linkerd
4903Slack](https://slack.linkerd.io) for help and feedback.
4904
4905* CLI
4906 * Improved the `linkerd check` command to check for extension server
4907 certificate (thanks @christyjacob4!)
4908* Controller
4909 * Removed restrictions preventing Linkerd from injecting proxies into
4910 Contour (thanks @alfatraining!)
4911 * Added an experimental version of a service mirroring controller, allowing
4912 discovery of services on remote clusters.
4913* Web UI
4914 * Fixed a bug causing incorrect Grafana links to be rendered in the web
4915 dashboard.
4916* Proxy
4917 * Fixed a bug that could cause the proxy's load balancer to stop processing
4918 updates from service discovery.
4919
4920## edge-20.2.3
4921
4922This release introduces the first optional add-on `tracing`, added through the
4923new add-on model!
4924
4925The existing optional `tracing` components Jaeger and OpenCensus can now be
4926installed as add-on components.
4927
4928There will be more information to come about the new add-on model, but please
4929refer to the details of [#3955](https://github.com/linkerd/linkerd2/pull/3955)
4930for how to get started.
4931
4932* CLI
4933 * Added the `linkerd diagnostics` command to get metrics only from the
4934 control plane, excluding metrics from the data plane proxies (thanks
4935 @srv-twry!)
4936 * Added the `linkerd install --prometheus-image` option for installing a
4937 custom Prometheus image (thanks @christyjacob4!)
4938 * Fixed an issue with `linkerd upgrade` where changes to the `Namespace`
4939 object were ignored (thanks @supra08!)
4940* Controller
4941 * Added the `tracing` add-on which installs Jaeger and OpenCensus as add-on
4942 components (thanks @Pothulapati!!)
4943* Proxy
4944 * Increased the inbound router's default capacity from 100 to 10k to
4945 accommodate environments that have a high cardinality of virtual hosts
4946 served by a single pod
4947* Web UI
4948 * Fixed styling in the CallToAction banner (thanks @aliariff!)
4949
4950## edge-20.2.2
4951
4952This release includes the results from continued profiling & performance
4953analysis on the Linkerd proxy. In addition to modifying internals to prevent
4954unwarranted memory growth, new metrics were introduced to aid in debugging and
4955diagnostics.
4956
4957Also, Linkerd's CNI plugin is out of experimental, check out the docs at
4958<https://linkerd.io/2/features/cni/> !
4959
4960* CLI
4961 * Added support for label selectors in the `linkerd stat` command (thanks
4962 @mayankshah1607!)
4963 * Added scrolling functionality to the `linkerd top` output (thanks
4964 @kohsheen1234!)
4965 * Fixed bug in `linkerd metrics` that was causing a panic when
4966 port-forwarding failed (thanks @mayankshah1607!)
4967 * Added check to `linkerd check` verifying the number of replicas for
4968 Linkerd components in HA (thanks @mayankshah1607!)
4969 * Unified trust anchors terminology across the CLI commands
4970 * Removed some messages from `linkerd upgrade`'s output that are no longer
4971 relevant (thanks @supra08!)
4972
4973* Controller
4974 * Added support for configuring service profile retries
4975 `(x-linkerd-retryable)` via OpenAPI spec (thanks @kohsheen1234!)
4976 * Improved traffic split metrics so sources in all namespaces are shown, not
4977 just traffic from the traffic split's own namespace
4978 * Improved linkerd-identity's logs and events to help diagnosing certificate
4979 validation issues (thanks @mayankshah1607!)
4980
4981* Proxy
4982 * Added `request_errors_total` metric exposing the number of requests that
4983 receive synthesized responses due to proxy errors
4984
4985* Helm
4986 * Added a new `enforcedHostRegexp` variable to allow configuring the
4987 linkerd-web component enforced host (that was previously introduced to
4988 protect against DNS rebinding attacks) (thanks @sannimichaelse!)
4989
4990* Internal
4991 * Removed various es-lint warnings from the dashboard code (thanks
4992 @christyjacob4 and @kohsheen1234!)
4993 * Fixed go module file syntax (thanks @daxmc99!)
4994
4995## stable-2.7.0
4996
4997This release adds support for integrating Linkerd's PKI with an external
4998certificate issuer such as [`cert-manager`] as well as streamlining the
4999certificate rotation process in general. For more details about cert-manager
5000and certificate rotation, see the
5001[docs](https://linkerd.io/2/tasks/use_external_certs/). This release also
5002includes performance improvements to the dashboard, reduced memory usage of
5003the proxy, various improvements to the Helm chart, and much much more.
5004
5005To install this release, run: `curl https://run.linkerd.io/install | sh`
5006
5007**Upgrade notes**: This release includes breaking changes to our Helm charts.
5008Please see the [upgrade
5009instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-270).
5010
5011**Special thanks to**: @alenkacz, @bmcstdio, @daxmc99, @droidnoob, @ereslibre,
5012@javaducky, @joakimr-axis, @JohannesEH, @KIVagant, @mayankshah1607,
5013@Pothulapati, and @StupidScience!
5014
5015**Full release notes**:
5016
5017* CLI
5018 * Updated the mTLS trust anchor checks to eliminate false positives caused
5019 by extra trailing spaces
5020 * Reduced the severity level of the Linkerd version checks, so that they
5021 don't fail when the external version endpoint is unreachable (thanks
5022 @mayankshah1607!)
5023 * Added a new `tap` APIService check to aid with uncovering Kubernetes API
5024 aggregation layer issues (thanks @droidnoob!)
5025 * Introduced CNI checks to confirm the CNI plugin is installed and ready;
5026 this is done through `linkerd check --pre --linkerd-cni-enabled` before
5027 installation and `linkerd check` after installation if the CNI plugin is
5028 present
5029 * Added support for the `--as-group` flag so that users can impersonate
5030 groups for Kubernetes operations (thanks @mayankshah1607!)
5031 * Added HA specific checks to `linkerd check` to ensure that the
5032 `kube-system` namespace has the
5033 `config.linkerd.io/admission-webhooks:disabled` label set
5034 * Fixed a problem causing the presence of unnecessary empty fields in
5035 generated resource definitions (thanks @mayankshah1607)
5036 * Added the ability to pass both port numbers and port ranges to
5037 `--skip-inbound-ports` and `--skip-outbound-ports` (thanks to @javaducky!)
5038 * Increased the comprehensiveness of `linkerd check --pre`
5039 * Added TLS certificate validation to `check` and `upgrade` commands
5040 * Added support for injecting CronJobs and ReplicaSets, as well as the
5041 ability to use them as targets in the CLI subcommands
5042 * Introduced the new flags `--identity-issuer-certificate-file`,
5043 `--identity-issuer-key-file` and `identity-trust-anchors-file` to `linkerd
5044 upgrade` to support trust anchor and issuer certificate rotation
5045 * Added a check that ensures using `--namespace` and `--all-namespaces`
5046 results in an error as they are mutually exclusive
5047 * Added a `Dashboard.Replicas` parameter to the Linkerd Helm chart to allow
5048 configuring the number of dashboard replicas (thanks @KIVagant!)
5049 * Removed redundant service profile check (thanks @alenkacz!)
5050 * Updated `uninject` command to work with namespace resources (thanks
5051 @mayankshah1607!)
5052 * Added a new `--identity-external-issuer` flag to `linkerd install` that
5053 configures Linkerd to use certificates issued by an external certificate
5054 issuer (such as `cert-manager`)
5055 * Added support for injecting a namespace to `linkerd inject` (thanks
5056 @mayankshah1607!)
5057 * Added checks to `linkerd check --preinstall` ensuring Kubernetes Secrets
5058 can be created and accessed
5059 * Fixed `linkerd tap` sometimes displaying incorrect pod names for unmeshed
5060 IPs that match multiple running pods
5061 * Made `linkerd install --ignore-cluster` and `--skip-checks` faster
5062 * Fixed a bug causing `linkerd upgrade` to fail when used with
5063 `--from-manifest`
5064 * Made `--cluster-domain` an install-only flag (thanks @bmcstdio!)
5065 * Updated `check` to ensure that proxy trust anchors match configuration
5066 (thanks @ereslibre!)
5067 * Added condition to the `linkerd stat` command that requires a window size
5068 of at least 15 seconds to work properly with Prometheus
5069* Controller
5070 * Fixed an issue where an override of the Docker registry was not being
5071 applied to debug containers (thanks @javaducky!)
5072 * Added check for the Subject Alternate Name attributes to the API server
5073 when access restrictions have been enabled (thanks @javaducky!)
5074 * Added support for arbitrary pod labels so that users can leverage the
5075 Linkerd provided Prometheus instance to scrape for their own labels
5076 (thanks @daxmc99!)
5077 * Fixed an issue with CNI config parsing
5078 * Fixed a race condition in the `linkerd-web` service
5079 * Updated Prometheus to 2.15.2 (thanks @Pothulapati)
5080 * Increased minimum kubernetes version to 1.13.0
5081 * Added support for pod ip and service cluster ip lookups in the destination
5082 service
5083 * Added recommended kubernetes labels to control-plane
5084 * Added the `--wait-before-exit-seconds` flag to linkerd inject for the
5085 proxy sidecar to delay the start of its shutdown process (a huge commit
5086 from @KIVagant, thanks!)
5087 * Added a pre-sign check to the identity service
5088 * Fixed inject failures for pods with security context capabilities
5089 * Added `conntrack` to the `debug` container to help with connection
5090 tracking debugging
5091 * Fixed a bug in `tap` where mismatch cluster domain and trust domain caused
5092 `tap` to hang
5093 * Fixed an issue in the `identity` RBAC resource which caused start up
5094 errors in k8s 1.6 (thanks @Pothulapati!)
5095 * Added support for using trust anchors from an external certificate issuer
5096 (such as `cert-manager`) to the `linkerd-identity` service
5097 * Added support for headless services (thanks @JohannesEH!)
5098* Helm
5099 * **Breaking change**: Renamed `noInitContainer` parameter to `cniEnabled`
5100 * **Breaking Change** Updated Helm charts to follow best practices (thanks
5101 @Pothulapati and @javaducky!)
5102 * Fixed an issue with `helm install` where the lists of ignored inbound and
5103 outbound ports would not be reflected
5104 * Fixed the `linkerd-cni` Helm chart not setting proper namespace
5105 annotations and labels
5106 * Fixed certificate issuance lifetime not being set when installing through
5107 Helm
5108 * Updated the helm build to retain previous releases
5109 * Moved CNI template into its own Helm chart
5110* Proxy
5111 * Fixed an issue that could cause the OpenCensus exporter to stall
5112 * Improved error classification and error responses for gRPC services
5113 * Fixed a bug where the proxy could stop receiving service discovery
5114 updates, resulting in 503 errors
5115 * Improved debug/error logging to include detailed contextual information
5116 * Fixed a bug in the proxy's logging subsystem that could cause the proxy to
5117 consume memory until the process is OOM killed, especially when the proxy
5118 was configured to log diagnostic information
5119 * Updated proxy dependencies to address RUSTSEC-2019-0033,
5120 RUSTSEC-2019-0034, and RUSTSEC-2020-02
5121* Web UI
5122 * Fixed an error when refreshing an already open dashboard when the Linkerd
5123 version has changed
5124 * Increased the speed of the dashboard by pausing network activity when the
5125 dashboard is not visible to the user
5126 * Added support for CronJobs and ReplicaSets, including new Grafana
5127 dashboards for them
5128 * Added `linkerd check` to the dashboard in the `/controlplane` view
5129 * Added request and response headers to the `tap` expanded view in the
5130 dashboard
5131 * Added filter to namespace select button
5132 * Improved how empty tables are displayed
5133 * Added `Host:` header validation to the `linkerd-web` service, to protect
5134 against DNS rebinding attacks
5135 * Made the dashboard sidebar component responsive
5136 * Changed the navigation bar color to the one used on the
5137 [Linkerd](https://linkerd.io/) website
5138* Internal
5139 * Added validation to incoming sidecar injection requests that ensures the
5140 value of `linkerd.io/inject` is either `enabled` or `disabled` (thanks
5141 @mayankshah1607)
5142 * Upgraded the Prometheus Go client library to v1.2.1 (thanks @daxmc99!)
5143 * Fixed an issue causing `tap`, `injector` and `sp-validator` to use old
5144 certificates after `helm upgrade` due to not being restarted
5145 * Fixed incomplete Swagger definition of the tap api, causing benign error
5146 logging in the kube-apiserver
5147 * Removed the destination container from the linkerd-controller deployment
5148 as it now runs in the linkerd-destination deployment
5149 * Allowed the control plane to be injected with the `debug` container
5150 * Updated proxy image build script to support HTTP proxy options (thanks
5151 @joakimr-axis!)
5152 * Updated the CLI `doc` command to auto-generate documentation for the proxy
5153 configuration annotations (thanks @StupidScience!)
5154 * Added new `--trace-collector` and `--trace-collector-svc-account` flags to
5155 `linkerd inject` that configures the OpenCensus trace collector used by
5156 proxies in the injected workload (thanks @Pothulapati!)
5157 * Added a new `--control-plane-tracing` flag to `linkerd install` that
5158 enables distributed tracing in the control plane (thanks @Pothulapati!)
5159 * Added distributed tracing support to the control plane (thanks
5160 @Pothulapati!)
5161
5162## edge-20.2.1
5163
5164This edge release is a release candidate for `stable-2.7` and fixes an issue
5165where the proxy could consume inappropriate amounts of memory.
5166
5167* Proxy
5168 * Fixed a bug in the proxy's logging subsystem that could cause the proxy to
5169 consume memory until the process is OOM killed, especially when the proxy
5170 was configured to log diagnostic information
5171 * Fixed properly emitting `grpc-status` headers when signaling proxy errors
5172 to gRPC clients
5173 * Updated certain proxy dependencies to address RUSTSEC-2019-0033,
5174 RUSTSEC-2019-0034, and RUSTSEC-2020-02
5175
5176## edge-20.1.4
5177
5178This edge release is a release candidate for `stable-2.7`.
5179
5180The `linkerd check` command has been updated to improve the control plane
5181debugging experience.
5182
5183* CLI
5184 * Updated the mTLS trust anchor checks to eliminate false positives caused
5185 by extra trailing spaces
5186 * Reduced the severity level of the Linkerd version checks, so that they
5187 don't fail when the external version endpoint is unreachable (thanks
5188 @mayankshah1607!)
5189 * Added a new `tap` APIService check to aid with uncovering Kubernetes API
5190 aggregation layer issues (thanks @droidnoob!)
5191
5192## edge-20.1.3
5193
5194This edge release is a release candidate for `stable-2.7`.
5195
5196An update to the Helm charts has caused a **breaking change** for users who
5197have installed Linkerd using Helm. In order to make the purpose of the
5198`noInitContainer` parameter more explicit, it has been renamed to
5199`cniEnabled`.
5200
5201* CLI
5202 * Introduced CNI checks to confirm the CNI plugin is installed and ready;
5203 this is done through `linkerd check --pre --linkerd-cni-enabled` before
5204 installation and `linkerd check` after installation if the CNI plugin is
5205 present
5206 * Added support for the `--as-group` flag so that users can impersonate
5207 groups for Kubernetes operations (thanks @mayankshah160!)
5208* Controller
5209 * Fixed an issue where an override of the Docker registry was not being
5210 applied to debug containers (thanks @javaducky!)
5211 * Added check for the Subject Alternate Name attributes to the API server
5212 when access restrictions have been enabled (thanks @javaducky!)
5213 * Added support for arbitrary pod labels so that users can leverage the
5214 Linkerd provided Prometheus instance to scrape for their own labels
5215 (thanks @daxmc99!)
5216 * Fixed an issue with CNI config parsing
5217* Helm
5218 * **Breaking change**: Renamed `noInitContainer` parameter to `cniEnabled`
5219 * Fixed an issue with `helm install` where the lists of ignored inbound and
5220 outbound ports would not be reflected
5221
5222## edge-20.1.2
5223
5224* CLI
5225 * Added HA specific checks to `linkerd check` to ensure that the
5226 `kube-system` namespace has the
5227 `config.linkerd.io/admission-webhooks:disabled` label set
5228 * Fixed a problem causing the presence of unnecessary empty fields in
5229 generated resource definitions (thanks @mayankshah1607)
5230* Proxy
5231 * Fixed an issue that could cause the OpenCensus exporter to stall
5232* Internal
5233 * Added validation to incoming sidecar injection requests that ensures the
5234 value of `linkerd.io/inject` is either `enabled` or `disabled` (thanks
5235 @mayankshah1607)
5236
5237## edge-20.1.1
5238
5239This edge release includes experimental improvements to the Linkerd proxy's
5240request buffering and backpressure infrastructure.
5241
5242Additionally, we've fixed several bugs when installing Linkerd with Helm,
5243updated the CLI to allow using both port numbers _and_ port ranges with the
5244`--skip-inbound-ports` and `--skip-outbound-ports` flags, and fixed a
5245dashboard error that can occur if the dashboard is open in a browser while
5246updating Linkerd.
5247
5248**Note**: The `linkerd-proxy` version included with this release is more
5249experimental than usual. We'd love your help testing, but be aware that there
5250might be stability issues.
5251
5252* CLI
5253 * Added the ability to pass both port numbers and port ranges to
5254 `--skip-inbound-ports` and `--skip-outbound-ports` (thanks to @javaducky!)
5255* Controller
5256 * Fixed a race condition in the `linkerd-web` service
5257 * Updated Prometheus to 2.15.2 (thanks @Pothulapati)
5258* Web UI
5259 * Fixed an error when refreshing an already open dashboard when the Linkerd
5260 version has changed
5261* Proxy
5262 * Internal changes to the proxy's request buffering and backpressure
5263 infrastructure
5264* Helm
5265 * Fixed the `linkerd-cni` Helm chart not setting proper namespace
5266 annotations and labels
5267 * Fixed certificate issuance lifetime not being set when installing through
5268 Helm
5269 * More improvements to Helm best practices (thanks to @Pothulapati!)
5270
5271## edge-19.12.3
5272
5273This edge release adds support for pod IP and service cluster IP lookups,
5274improves performance of the dashboard, and makes `linkerd check --pre` perform
5275more comprehensive checks.
5276
5277The `--wait-before-exit-seconds` flag has been added to allow Linkerd users to
5278 opt in to `preStop hooks`. The details of this change are in
5279 [#3798](https://github.com/linkerd/linkerd2/pull/3798).
5280
5281Also, the proxy has been updated to `v2.82.0` which improves gRPC error
5282classification and [ensures that
5283resolutions](https://github.com/linkerd/linkerd2/pull/3848) are released when
5284the associated balancer becomes idle.
5285
5286Finally, an update to follow best practices in the Helm charts has caused a
5287_breaking change_. Users who have installed Linkerd using Helm must be certain
5288to read the details of
5289[#3822](https://github.com/linkerd/linkerd2/issues/3822)
5290
5291* CLI
5292 * Increased the comprehensiveness of `linkerd check --pre`
5293 * Added TLS certificate validation to `check` and `upgrade` commands
5294* Controller
5295 * Increased minimum kubernetes version to 1.13.0
5296 * Added support for pod ip and service cluster ip lookups in the destination
5297 service
5298 * Added recommended kubernetes labels to control-plane
5299 * Added the `--wait-before-exit-seconds` flag to linkerd inject for the
5300 proxy sidecar to delay the start of its shutdown process (a huge commit
5301 from @KIVagant, thanks!)
5302 * Added a pre-sign check to the identity service
5303* Web UI
5304 * Increased the speed of the dashboard by pausing network activity when the
5305 dashboard is not visible to the user
5306* Proxy
5307 * Added a timeout to release resolutions to idle balancers
5308 * Improved error classification for gRPC services
5309* Internal
5310 * **Breaking Change** Updated Helm charts to follow best practices using
5311 proper casing (thanks @Pothulapati!)
5312
5313## edge-19.12.2
5314
5315* CLI
5316 * Added support for injecting CronJobs and ReplicaSets, as well as the
5317 ability to use them as targets in the CLI subcommands
5318 * Introduced the new flags `--identity-issuer-certificate-file`,
5319 `--identity-issuer-key-file` and `identity-trust-anchors-file` to `linkerd
5320 upgrade` to support trust anchor and issuer certificate rotation
5321* Controller
5322 * Fixed inject failures for pods with security context capabilities
5323* Web UI
5324 * Added support for CronJobs and ReplicaSets, including new Grafana
5325 dashboards for them
5326* Proxy
5327 * Fixed a bug where the proxy could stop receiving service discovery
5328 updates, resulting in 503 errors
5329* Internal
5330 * Moved CNI template into a Helm chart to prepare for future publication
5331 * Upgraded the Prometheus Go client library to v1.2.1 (thanks @daxmc99!)
5332 * Reenabled certificates rotation integration tests
5333
5334## edge-19.12.1
5335
5336* CLI
5337 * Added condition to the `linkerd stat` command that requires a window size
5338 of at least 15 seconds to work properly with Prometheus
5339* Internal
5340 * Fixed whitespace path handling in non-docker build scripts (thanks
5341 @joakimr-axis!)
5342 * Removed Calico logutils dependency that was incompatible with Go 1.13
5343 * Updated Helm templates to use fully-qualified variable references based
5344 upon Helm best practices (thanks @javaducky!)
5345
5346## edge-19.11.3
5347
5348* CLI
5349 * Added a check that ensures using `--namespace` and `--all-namespaces`
5350 results in an error as they are mutually exclusive
5351* Internal
5352 * Fixed an issue causing `tap`, `injector` and `sp-validator` to use old
5353 certificates after `helm upgrade` due to not being restarted
5354 * Fixed incomplete Swagger definition of the tap api, causing benign error
5355 logging in the kube-apiserver
5356
5357## edge-19.11.2
5358
5359* CLI
5360 * Added a `Dashboard.Replicas` parameter to the Linkerd Helm chart to allow
5361 configuring the number of dashboard replicas (thanks @KIVagant!)
5362 * Removed redundant service profile check (thanks @alenkacz!)
5363* Web UI
5364 * Added `linkerd check` to the dashboard in the `/controlplane` view
5365 * Added request and response headers to the `tap` expanded view in the
5366 dashboard
5367* Internal
5368 * Removed the destination container from the linkerd-controller deployment
5369 as it now runs in the linkerd-destination deployment
5370 * Upgraded Go to version 1.13.4
5371
5372## edge-19.11.1
5373
5374* CLI
5375 * Updated `uninject` command to work with namespace resources (thanks
5376 @mayankshah1607!)
5377* Controller
5378 * Added `conntrack` to the `debug` container to help with connection
5379 tracking debugging
5380 * Fixed a bug in `tap` where mismatch cluster domain and trust domain caused
5381 `tap` to hang
5382 * Fixed an issue in the `identity` RBAC resource which caused start up
5383 errors in k8s 1.6 (thanks @Pothulapati!)
5384* Proxy
5385 * Improved debug/error logging to include detailed contextual information
5386* Web UI
5387 * Added filter to namespace select button
5388 * Improved how empty tables are displayed
5389* Internal
5390 * Added integration test for custom cluster domain
5391 * Allowed the control plane to be injected with the `debug` container
5392 * Updated proxy image build script to support HTTP proxy options (thanks
5393 @joakimr-axis!)
5394 * Updated the CLI `doc` command to auto-generate documentation for the proxy
5395 configuration annotations (thanks @StupidScience!)
5396
5397## edge-19.10.5
5398
5399This edge release adds support for integrating Linkerd's PKI with an external
5400certificate issuer such as [`cert-manager`], adds distributed tracing support
5401to the Linkerd control plane, and adds protection against DNS rebinding
5402attacks to the web dashboard. In addition, it includes several improvements to
5403the Linkerd CLI.
5404
5405* CLI
5406 * Added a new `--identity-external-issuer` flag to `linkerd install` that
5407 configures Linkerd to use certificates issued by an external certificate
5408 issuer (such as `cert-manager`)
5409 * Added support for injecting a namespace to `linkerd inject` (thanks
5410 @mayankshah1607!)
5411 * Added checks to `linkerd check --preinstall` ensuring Kubernetes Secrets
5412 can be created and accessed
5413 * Fixed `linkerd tap` sometimes displaying incorrect pod names for unmeshed
5414 IPs that match multiple running pods
5415* Controller
5416 * Added support for using trust anchors from an external certificate issuer
5417 (such as `cert-manager`) to the `linkerd-identity` service
5418* Web UI
5419 * Added `Host:` header validation to the `linkerd-web` service, to protect
5420 against DNS rebinding attacks
5421* Internal
5422 * Added new `--trace-collector` and `--trace-collector-svc-account` flags to
5423 `linkerd inject` that configures the OpenCensus trace collector used by
5424 proxies in the injected workload (thanks @Pothulapati!)
5425 * Added a new `--control-plane-tracing` flag to `linkerd install` that
5426 enables distributed tracing in the control plane (thanks @Pothulapati!)
5427 * Added distributed tracing support to the control plane (thanks
5428 @Pothulapati!)
5429
5430Also, thanks to @joakimr-axis for several fixes and improvements to internal
5431build scripts!
5432
5433[`cert-manager`]: https://github.com/jetstack/cert-manager
5434
5435## edge-19.10.4
5436
5437This edge release adds dashboard UX enhancements, and improves the speed of
5438the CLI.
5439
5440* CLI
5441 * Made `linkerd install --ignore-cluster` and `--skip-checks` faster
5442 * Fixed a bug causing `linkerd upgrade` to fail when used with
5443 `--from-manifest`
5444* Web UI
5445 * Made the dashboard sidebar component responsive
5446 * Changed the navigation bar color to the one used on the
5447 [Linkerd](https://linkerd.io/) website
5448
5449## edge-19.10.3
5450
5451This edge release adds support for headless services, improves the upgrade
5452process after installing Linkerd with a custom cluster domain, and enhances
5453the `check` functionality to report invalid trust anchors.
5454
5455* CLI
5456 * Made `--cluster-domain` an install-only flag (thanks @bmcstdio!)
5457 * Updated `check` to ensure that proxy trust anchors match configuration
5458 (thanks @ereslibre!)
5459* Controller
5460 * Added support for headless services (thanks @JohannesEH!)
5461* Helm
5462 * Updated the helm build to retain previous releases
5463
5464## stable-2.6.0
5465
5466This release introduces distributed tracing support, adds request and response
5467headers to `linkerd tap`, dramatically improves the performance of the
5468dashboard on large clusters, adds traffic split visualizations to the
5469dashboard, adds a public Helm repo, and many more improvements!
5470
5471For more details, see the announcement blog post:
5472<https://linkerd.io/2019/10/10/announcing-linkerd-2.6/>
5473
5474To install this release, run: `curl https://run.linkerd.io/install | sh`
5475
5476**Upgrade notes**: Please see the [upgrade
5477instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-6-0).
5478
5479**Special thanks to**: @alenkacz, @arminbuerkle, @bmcstdio, @bourquep,
5480@brianstorti, @kevtaylor, @KIVagant, @pierDipi, and @Pothulapati!
5481
5482**Full release notes**:
5483
5484* CLI
5485 * Added a new `json` output option to the `linkerd tap` command, which
5486 exposes request and response headers
5487 * Added a public Helm repo - for full installation instructions, see our
5488 [Helm documentation](https://linkerd.io/2/tasks/install-helm/).
5489 * Added an `--address` flag to `linkerd dashboard`, allowing users to
5490 specify a port-forwarding address (thanks @bmcstdio!)
5491 * Added node selector constraints to Helm installation, so users can control
5492 which nodes the control plane is deployed to (thanks @bmcstdio!)
5493 * Added a `--cluster-domain` flag to the `linkerd install` command that
5494 allows setting a custom cluster domain (thanks @arminbuerkle!)
5495 * Added a `--disable-heartbeat` flag for `linkerd install | upgrade`
5496 commands
5497 * Allowed disabling namespace creation when installing Linkerd using Helm
5498 (thanks @KIVagant!)
5499 * Improved the error message when the CLI cannot connect to Kubernetes
5500 (thanks @alenkacz!)
5501* Controller
5502 * Updated the Prometheus config to keep only needed `cadvisor` metrics,
5503 substantially reducing the number of time-series stored in most clusters
5504 * Introduced `config.linkerd.io/trace-collector` and
5505 `config.alpha.linkerd.io/trace-collector-service-account` pod spec
5506 annotations to support per-pod tracing
5507 * Instrumented the proxy injector to provide additional metrics about
5508 injection (thanks @Pothulapati!)
5509 * Added Kubernetes events (and log lines) when the proxy injector injects a
5510 deployment, and when injection is skipped
5511 * Fixed a workload admission error between the Kubernetes apiserver and the
5512 HA proxy injector, by allowing workloads in a namespace to be omitted from
5513 the admission webhooks phase using the
5514 `config.linkerd.io/admission-webhooks: disabled` label (thanks
5515 @hasheddan!)
5516 * Fixed proxy injector timeout during a large number of concurrent
5517 injections
5518 * Added support for disabling the heartbeat cronjob (thanks @kevtaylor!)
5519* Proxy
5520 * Added distributed tracing support
5521 * Decreased proxy Docker image size by removing bundled debug tools
5522 * Added 587 (SMTP) to the list of ports to ignore in protocol detection
5523 (bound to server-speaks-first protocols) (thanks @brianstorti!)
5524* Web UI
5525 * Redesigned dashboard navigation so workloads are now viewed by namespace,
5526 with an "All Namespaces" option, in order to increase dashboard speed
5527 * Added Traffic Splits as a resource to the dashboard, including a Traffic
5528 Split detail page
5529 * Added a `Linkerd Namespace` Grafana dashboard, allowing users to view
5530 historical data for a given namespace, similar to CLI output for `linkerd
5531 stat deploy -n myNs` (thanks @bourquep!)
5532 * Fixed bad request in the top routes tab on empty fields (thanks
5533 @pierDipi!)
5534* Internal
5535 * Moved CI from Travis to GitHub Actions
5536 * Added requirement for Go `1.12.9` for controller builds to include
5537 security fixes
5538 * Added support for Kubernetes `1.16`
5539 * Upgraded client-go to `v12.0.0`
5540
5541## edge-19.10.2
5542
5543This edge release is a release candidate for `stable-2.6`.
5544
5545* Controller
5546 * Added the destination container back to the controller; it had previously
5547 been separated into its own deployment. This ensures backwards
5548 compatibility and allows users to avoid data plane downtime during an
5549 upcoming upgrade to `stable-2.6`.
5550
5551## edge-19.10.1
5552
5553This edge release is a release candidate for `stable-2.6`.
5554
5555* Proxy
5556 * Improved error logging when the proxy fails to emit trace spans
5557 * Fixed bug in distributed tracing where trace ids with fewer than 16 bytes
5558 were discarded
5559* Internal
5560 * Added integration tests for `linkerd edges` and `linkerd endpoints`
5561
5562## edge-19.9.5
5563
5564This edge release is a release candidate for `stable-2.6`.
5565
5566* Helm
5567 * Added node selector constraints, so users can control which nodes the
5568 control plane is deployed to (thanks @bmcstdio!)
5569* CLI
5570 * Added request and response headers to the JSON output option for `linkerd
5571 tap`
5572
5573## edge-19.9.4
5574
5575This edge release introduces experimental support for distributed tracing as
5576well as a redesigned sidebar in the Web UI!
5577
5578Experimental support for distributed tracing means that Linkerd data plane
5579proxies can now emit trace spans, allowing you to see the exact amount of time
5580spent in the Linkerd proxy for traced requests. The new
5581`config.linkerd.io/trace-collector` and
5582`config.alpha.linkerd.io/trace-collector-service-account` tracing annotations
5583allow specifying which pods should emit trace spans.
5584
5585The goal of the dashboard's sidebar redesign was to reduce load on Prometheus
5586and simplify navigation by providing top-level views centered around
5587namespaces and workloads.
5588
5589* CLI
5590 * Introduced a new `--cluster-domain` flag to the `linkerd install` command
5591 that allows setting a custom cluster domain (thanks @arminbuerkle!)
5592 * Fixed the `linkerd endpoints` command to use the correct Destination API
5593 address (thanks @Pothulapati!)
5594 * Added `--disable-heartbeat` flag for `linkerd` `install|upgrade` commands
5595* Controller
5596 * Instrumented the proxy-injector to provide additional metrics about
5597 injection (thanks @Pothulapati!)
5598 * Added support for `config.linkerd.io/admission-webhooks: disabled` label
5599 on namespaces so that the pods creation events in these namespaces are
5600 ignored by the proxy injector; this fixes situations in HA deployments
5601 where the proxy-injector is installed in `kube-system` (thanks
5602 @hasheddan!)
5603 * Introduced `config.linkerd.io/trace-collector` and
5604 `config.alpha.linkerd.io/trace-collector-service-account` pod spec
5605 annotations to support per-pod tracing
5606* Web UI
5607 * Workloads are now viewed by namespace, with an "All Namespaces" option, to
5608 improve dashboard performance
5609* Proxy
5610 * Added experimental distributed tracing support
5611
5612## edge-19.9.3
5613
5614* Helm
5615 * Allowed disabling namespace creation during install (thanks @KIVagant!)
5616* CLI
5617 * Added a new `json` output option to the `linkerd tap` command
5618* Controller
5619 * Fixed proxy injector timeout during a large number of concurrent
5620 injections
5621 * Separated the destination controller into its own separate deployment
5622 * Updated Prometheus config to keep only needed `cadvisor` metrics,
5623 substantially reducing the number of time-series stored in most clusters
5624* Web UI
5625 * Fixed bad request in the top routes tab on empty fields (thanks
5626 @pierDipi!)
5627* Proxy
5628 * Fixes to the client's backoff logic
5629 * Added 587 (SMTP) to the list of ports to ignore in protocol detection
5630 (bound to server-speaks-first protocols) (thanks @brianstorti!)
5631
5632## edge-19.9.2
5633
5634Much of our effort has been focused on improving our build and test
5635infrastructure, but this edge release lays the groundwork for some big new
5636features to land in the coming releases!
5637
5638* Helm
5639 * There's now a public Helm repo! This release can be installed with: `helm
5640 repo add linkerd-edge https://helm.linkerd.io/edge && helm install
5641 linkerd-edge/linkerd2`
5642 * Improved TLS credential parsing by ignoring spurious newlines
5643* Proxy
5644 * Decreased proxy-init Docker image size by removing bundled debug tools
5645* Web UI
5646 * Fixed an issue where the edges table could end up with duplicates
5647 * Added an icon to more clearly label external links
5648* Internal
5649 * Upgraded client-go to v12.0.0
5650 * Moved CI from Travis to GitHub Actions
5651
5652## edge-19.9.1
5653
5654This edge release adds traffic splits into the Linkerd dashboard as well as a
5655variety of other improvements.
5656
5657* CLI
5658 * Improved the error message when the CLI cannot connect to Kubernetes
5659 (thanks @alenkacz!)
5660 * Added `--address` flag to `linkerd dashboard` (thanks @bmcstdio!)
5661* Controller
5662 * Fixed an issue where the proxy-injector had insufficient RBAC permissions
5663 * Added support for disabling the heartbeat cronjob (thanks @kevtaylor!)
5664* Proxy
5665 * Decreased proxy Docker image size by removing bundled debug tools
5666 * Fixed an issue where the incorrect content-length could be set for GET
5667 requests with bodies
5668* Web UI
5669 * Added trafficsplits as a resource to the dashboard, including a
5670 trafficsplit detail page
5671* Internal
5672 * Added support for Kubernetes 1.16
5673
5674## edge-19.8.7
5675
5676* Controller
5677 * Added Kubernetes events (and log lines) when the proxy injector injects a
5678 deployment, and when injection is skipped
5679 * Additional preparation for configuring the cluster base domain (thanks
5680 @arminbuerkle!)
5681* Proxy
5682 * Changed the proxy to require the `LINKERD2_PROXY_DESTINATION_SVC_ADDR`
5683 environment variable when starting up
5684* Web UI
5685 * Increased dashboard speed by consolidating existing Prometheus queries
5686
5687## edge-19.8.6
5688
5689A new Grafana dashboard has been added which shows historical data for a
5690selected namespace. The build process for controller components now requires
5691`Go 1.12.9`. Additional contributions were made towards support for custom
5692cluster domains.
5693
5694* Web UI
5695 * Added a `Linkerd Namespace` Grafana dashboard, allowing users to view
5696 historical data for a given namespace, similar to CLI output for `linkerd
5697 stat deploy -n myNs` (thanks @bourquep!)
5698* Internal
5699 * Added requirement for Go `1.12.9` for controller builds to include
5700 security fixes
5701 * Set `LINKERD2_PROXY_DESTINATION_GET_SUFFIXES` proxy environment variable,
5702 in preparation for custom cluster domain support (thanks @arminbuerkle!)
5703
5704## stable-2.5.0
5705
5706This release adds [Helm support](https://linkerd.io/2/tasks/install-helm/),
5707[tap authentication and authorization via RBAC](https://linkerd.io/tap-rbac),
5708traffic split stats, dynamic logging levels, a new cluster monitoring
5709dashboard, and countless performance enhancements and bug fixes.
5710
5711For more details, see the announcement blog post:
5712<https://linkerd.io/2019/08/20/announcing-linkerd-2.5/>
5713
5714To install this release, run: `curl https://run.linkerd.io/install | sh`
5715
5716**Upgrade notes**: Use the `linkerd upgrade` command to upgrade the control
5717plane. This command ensures that all existing control plane's configuration
5718and mTLS secrets are retained. For more details, please see the [upgrade
5719instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-5-0).
5720
5721**Special thanks to**: @alenkacz, @codeman9, @ethan-daocloud, @jonathanbeber,
5722and @Pothulapati!
5723
5724**Full release notes**:
5725
5726* CLI
5727 * **New** Updated `linkerd tap`, `linkerd top` and `linkerd profile --tap`
5728 to require `tap.linkerd.io` RBAC privileges. See
5729 <https://linkerd.io/tap-rbac> for more info
5730 * **New** Added traffic split metrics via `linkerd stat trafficsplits`
5731 subcommand
5732 * Made the `linkerd routes` command traffic split aware
5733 * Introduced the `linkerd --as` flag which allows users to impersonate
5734 another user for Kubernetes operations
5735 * Introduced the `--all-namespaces` (`-A`) option to the `linkerd get`,
5736 `linkerd edges` and `linkerd stat` commands to retrieve resources across
5737 all namespaces
5738 * Improved the installation report produced by the `linkerd check` command
5739 to include the control plane pods' live status
5740 * Fixed bug in the `linkerd upgrade config` command that was causing it to
5741 crash
5742 * Introduced `--use-wait-flag` to the `linkerd install-cni` command, to
5743 configure the CNI plugin to use the `-w` flag for `iptables` commands
5744 * Introduced `--restrict-dashboard-privileges` flag to `linkerd install`
5745 command, to disallow tap in the dashboard
5746 * Fixed `linkerd uninject` not removing `linkerd.io/inject: enabled`
5747 annotations
5748 * Fixed `linkerd stat -h` example commands (thanks @ethan-daocloud!)
5749 * Fixed incorrect "meshed" count in `linkerd stat` when resources share the
5750 same label selector for pods (thanks @jonathanbeber!)
5751 * Added pod status to the output of the `linkerd stat` command (thanks
5752 @jonathanbeber!)
5753 * Added namespace information to the `linkerd edges` command output and a
5754 new `-o wide` flag that shows the identity of the client and server if
5755 known
5756 * Added a check to the `linkerd check` command to validate the user has
5757 privileges necessary to create CronJobs
5758 * Added a new check to the `linkerd check --pre` command validating that if
5759 PSP is enabled, the NET_RAW capability is available
5760* Controller
5761 * **New** Disabled all unauthenticated tap endpoints. Tap requests now
5762 require [RBAC authentication and
5763 authorization](https://linkerd.io/tap-rbac)
5764 * The `l5d-require-id` header is now set on tap requests so that a
5765 connection is established over TLS
5766 * Introduced a new RoleBinding in the `kube-system` namespace to provide
5767 [access to tap](https://linkerd.io/tap-rbac)
5768 * Added HTTP security headers on all dashboard responses
5769 * Added support for namespace-level proxy override annotations (thanks
5770 @Pothulapati!)
5771 * Added resource limits when HA is enabled (thanks @Pothulapati!)
5772 * Added pod anti-affinity rules to the control plane pods when HA is enabled
5773 (thanks @Pothulapati!)
5774 * Fixed a crash in the destination service when an endpoint does not have a
5775 `TargetRef`
5776 * Updated the destination service to return `InvalidArgument` for external
5777 name services so that the proxy does not immediately fail the request
5778 * Fixed an issue with discovering StatefulSet pods via their unique hostname
5779 * Fixed an issue with traffic split where outbound proxy stats are missing
5780 * Upgraded the service profile CRD to v1alpha2. No changes required for
5781 users currently using v1alpha1
5782 * Updated the control plane's pod security policy to restrict workloads from
5783 running as `root` in the CNI mode (thanks @codeman9!)
5784 * Introduced optional cluster heartbeat cron job
5785 * Bumped Prometheus to 2.11.1
5786 * Bumped Grafana to 6.2.5
5787* Proxy
5788 * **New** Added a new `/proxy-log-level` endpoint to update the log level at
5789 runtime
5790 * **New** Updated the tap server to only admit requests from the control
5791 plane's tap controller
5792 * Added `request_handle_us` histogram to measure proxy overhead
5793 * Fixed gRPC client cancellations getting recorded as failures rather than
5794 as successful
5795 * Fixed a bug where tap would stop streaming after a short amount of time
5796 * Fixed a bug that could cause the proxy to leak service discovery
5797 resolutions to the Destination controller
5798* Web UI
5799 * **New** Added "Kubernetes cluster monitoring" Grafana dashboard with
5800 cluster and containers metrics
5801 * Updated the web server to use the new tap APIService. If the `linkerd-web`
5802 service account is not authorized to tap resources, users will see a link
5803 to documentation to remedy the error
5804
5805## edge-19.8.5
5806
5807This edge release is a release candidate for `stable-2.5`.
5808
5809* CLI
5810 * Fixed CLI filepath issue on Windows
5811* Proxy
5812 * Fixed gRPC client cancellations getting recorded as failures rather than
5813 as successful
5814
5815## edge-19.8.4
5816
5817This edge release is a release candidate for `stable-2.5`.
5818
5819* CLI
5820 * Introduced `--use-wait-flag` to the `linkerd install-cni` command, to
5821 configure the CNI plugin to use the `-w` flag for `iptables` commands
5822* Controller
5823 * Disabled the tap gRPC server listener. All tap requests now require RBAC
5824 authentication and authorization
5825
5826## edge-19.8.3
5827
5828This edge release introduces a new `linkerd stat trafficsplits` subcommand, to
5829show traffic split metrics. It also introduces a "Kubernetes cluster
5830monitoring" Grafana dashboard.
5831
5832* CLI
5833 * Added traffic split metrics via `linkerd stat trafficsplits` subcommand
5834 * Fixed `linkerd uninject` not removing `linkerd.io/inject: enabled`
5835 annotations
5836 * Fixed `linkerd stat -h` example commands (thanks @ethan-daocloud!)
5837* Controller
5838 * Added support for namespace-level proxy override annotations
5839 * Removed unauthenticated tap from the Public API
5840* Proxy
5841 * Added `request_handle_us` histogram to measure proxy overhead
5842 * Updated the tap server to only admit requests from the control plane's tap
5843 controller
5844 * Fixed a bug where tap would stop streaming after a short amount of time
5845 * Fixed a bug that could cause the proxy to leak service discovery
5846 resolutions to the Destination controller
5847* Web UI
5848 * Added "Kubernetes cluster monitoring" Grafana dashboard with cluster and
5849 containers metrics
5850* Internal
5851 * Updated `linkerd install` and `linkerd upgrade` to use Helm charts for
5852 templating
5853 * Pinned Helm tooling to `v2.14.3`
5854 * Added Helm integration tests
5855 * Added container CPU and memory usage to `linkerd-heartbeat` requests
5856 * Removed unused inject code (thanks @alenkacz!)
5857
5858## edge-19.8.2
5859
5860This edge release introduces the new Linkerd control plane Helm chart, named
5861`linkerd2`. Helm users can now install and remove the Linkerd control plane by
5862using the `helm install` and `helm delete` commands. Proxy injection also now
5863uses Helm charts.
5864
5865No changes were made to the existing `linkerd install` behavior.
5866
5867For detailed installation steps using Helm, see the notes for
5868[#3146](https://github.com/linkerd/linkerd2/pull/3146).
5869
5870* CLI
5871 * Updated `linkerd top` and `linkerd profile --tap` to require
5872 `tap.linkerd.io` RBAC privileges, see <https://linkerd.io/tap-rbac> for
5873 more info
5874 * Modified `tap.linkerd.io` APIService to enable usage in `kubectl auth
5875 can-i` commands
5876 * Introduced `--restrict-dashboard-privileges` flag to `linkerd install`
5877 command, to restrict the dashboard's default privileges to disallow tap
5878* Controller
5879 * Introduced a new ClusterRole, `linkerd-linkerd-tap-admin`, which gives
5880 cluster-wide tap privileges. Also introduced a new ClusterRoleBinding,
5881 `linkerd-linkerd-web-admin`, which binds the `linkerd-web` service account
5882 to the new tap ClusterRole
5883 * Removed successfully completed `linkerd-heartbeat` jobs from pod listing
5884 in the linkerd control plane to streamline `get po` output (thanks
5885 @Pothulapati!)
5886* Web UI
5887 * Updated the web server to use the new tap APIService. If the `linkerd-web`
5888 service account is not authorized to tap resources, users will see a link
5889 to documentation to remedy the error
5890
5891## edge-19.8.1
5892
5893### Significant Update
5894
5895This edge release introduces a new tap APIService. The Kubernetes apiserver
5896authenticates the requesting tap user and then forwards tap requests to the
5897new tap APIServer. The `linkerd tap` command now makes requests against the
5898APIService.
5899
5900With this release, users must be authorized via RBAC to use the `linkerd tap`
5901command. Specifically `linkerd tap` requires the `watch` verb on all resources
5902in the `tap.linkerd.io/v1alpha1` APIGroup. More granular access is also
5903available via sub-resources such as `deployments/tap` and `pods/tap`.
5904
5905* CLI
5906 * Added a check to the `linkerd check` command to validate the user has
5907 privileges necessary to create CronJobs
5908 * Introduced the `linkerd --as` flag which allows users to impersonate
5909 another user for Kubernetes operations
5910 * The `linkerd tap` command now makes requests against the tap APIService
5911* Controller
5912 * Added HTTP security headers on all dashboard responses
5913 * Fixed nil pointer dereference in the destination service when an endpoint
5914 does not have a `TargetRef`
5915 * Added resource limits when HA is enabled
5916 * Added RSA support to TLS libraries
5917 * Updated the destination service to return `InvalidArgument` for external
5918 name services so that the proxy does not immediately fail the request
5919 * The `l5d-require-id` header is now set on tap requests so that a
5920 connection is established over TLS
5921 * Introduced the `APIService/v1alpha1.tap.linkerd.io` global resource
5922 * Introduced the `ClusterRoleBinding/linkerd-linkerd-tap-auth-delegator`
5923 global resource
5924 * Introduced the `Secret/linkerd-tap-tls` resource into the `linkerd`
5925 namespace
5926 * Introduced the `RoleBinding/linkerd-linkerd-tap-auth-reader` resource into
5927 the `kube-system` namespace
5928* Proxy
5929 * Added the `LINKERD2_PROXY_TAP_SVC_NAME` environment variable so that the
5930 tap server attempts to authorize client identities
5931* Internal
5932 * Replaced `dep` with Go modules for dependency management
5933
5934## edge-19.7.5
5935
5936* CLI
5937 * Improved the installation report produced by the `linkerd check` command
5938 to include the control plane pods' live status
5939 * Added the `--all-namespaces` (`-A`) option to the `linkerd get`, `linkerd
5940 edges` and `linkerd stat` commands to retrieve resources across all
5941 namespaces
5942* Controller
5943 * Fixed an issue with discovering StatefulSet pods via their unique hostname
5944 * Fixed an issue with traffic split where outbound proxy stats are missing
5945 * Bumped Prometheus to 2.11.1
5946 * Bumped Grafana to 6.2.5
5947 * Upgraded the service profile CRD to v1alpha2 where the openAPIV3Schema
5948 validation is replaced by a validating admission webhook. No changes
5949 required for users currently using v1alpha1
5950 * Updated the control plane's pod security policy to restrict workloads from
5951 running as `root` in the CNI mode (thanks @codeman9!)
5952 * Introduced cluster heartbeat cron job
5953* Proxy
5954 * Introduced the `l5d-require-id` header to enforce TLS outbound
5955 communication from the Tap server
5956
5957## edge-19.7.4
5958
5959* CLI
5960 * Made the `linkerd routes` command traffic-split aware
5961 * Fixed bug in the `linkerd upgrade config` command that was causing it to
5962 crash
5963 * Added pod status to the output of the `linkerd stat`command (thanks
5964 @jonathanbeber!)
5965 * Fixed incorrect "meshed" count in `linkerd stat` when resources share the
5966 same label selector for pods (thanks @jonathanbeber!)
5967 * Added namespace information to the `linkerd edges` command output and a
5968 new `-o wide` flag that shows the identity of the client and server if
5969 known
5970 * Added a new check to the `linkerd check --pre` command validating that if
5971 PSP is enabled, the NET_RAW capability is available
5972* Controller
5973 * Added pod anti-affinity rules to the control plane pods when HA is enabled
5974 (thanks @Pothulapati!)
5975* Proxy
5976 * Improved performance by using a constant-time load balancer
5977 * Added a new `/proxy-log-level` endpoint to update the log level at runtime
5978
5979## stable-2.4.0
5980
5981This release adds traffic splitting functionality, support for the Kubernetes
5982Service Mesh Interface (SMI), graduates high-availability support out of
5983experimental status, and adds a tremendous list of other improvements,
5984performance enhancements, and bug fixes.
5985
5986Linkerd's new traffic splitting feature allows users to dynamically control
5987the percentage of traffic destined for a service. This powerful feature can be
5988used to implement rollout strategies like canary releases and blue-green
5989deploys. Support for the [Service Mesh Interface](https://smi-spec.io) (SMI)
5990makes it easier for ecosystem tools to work across all service mesh
5991implementations.
5992
5993Along with the introduction of optional install stages via the `linkerd
5994install config` and `linkerd install control-plane` commands, the default
5995behavior of the `linkerd inject` command only adds annotations and defers
5996injection to the always-installed proxy injector component.
5997
5998Finally, there have been many performance and usability improvements to the
5999proxy and UI, as well as production-ready features including:
6000
6001* A new `linkerd edges` command that provides fine-grained observability into
6002 the TLS-based identity system
6003* A `--enable-debug-sidecar` flag for the `linkerd inject` command that
6004 improves debugging efforts
6005
6006Linkerd recently passed a CNCF-sponsored security audit! Check out the
6007in-depth report
6008[here](https://github.com/linkerd/linkerd2/blob/master/SECURITY_AUDIT.pdf).
6009
6010To install this release, run: `curl https://run.linkerd.io/install | sh`
6011
6012**Upgrade notes**: Use the `linkerd upgrade` command to upgrade the control
6013plane. This command ensures that all existing control plane's configuration
6014and mTLS secrets are retained. For more details, please see the [upgrade
6015instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-4-0)
6016for more details.
6017
6018**Special thanks to**: @alenkacz, @codeman9, @dwj300, @jackprice, @liquidslr,
6019@matej-g, @Pothulapati, @zaharidichev
6020
6021**Full release notes**:
6022
6023* CLI
6024 * **Breaking Change** Removed the `--proxy-auto-inject` flag, as the proxy
6025 injector is now always installed
6026 * **Breaking Change** Replaced the `--linkerd-version` flag with the
6027 `--proxy-version` flag in the `linkerd install` and `linkerd upgrade`
6028 commands, which allows setting the version for the injected proxy sidecar
6029 image, without changing the image versions for the control plane
6030 * Introduced install stages: `linkerd install config` and `linkerd install
6031 control-plane`
6032 * Introduced upgrade stages: `linkerd upgrade config` and `linkerd upgrade
6033 control-plane`
6034 * Introduced a new `--from-manifests` flag to `linkerd upgrade` allowing
6035 manually feeding a previously saved output of `linkerd install` into the
6036 command, instead of requiring a connection to the cluster to fetch the
6037 config
6038 * Introduced a new `--manual` flag to `linkerd inject` to output the proxy
6039 sidecar container spec
6040 * Introduced a new `--enable-debug-sidecar` flag to `linkerd inject`, that
6041 injects a debug sidecar to inspect traffic to and from the meshed pod
6042 * Added a new check for unschedulable pods and PSP issues (thanks,
6043 @liquidslr!)
6044 * Disabled the spinner in `linkerd check` when running without a TTY
6045 * Ensured the ServiceAccount for the proxy injector is created before its
6046 Deployment to avoid warnings when installing the proxy injector (thanks,
6047 @dwj300!)
6048 * Added a `linkerd check config` command for verifying that `linkerd install
6049 config` was successful
6050 * Improved the help documentation of `linkerd install` to clarify flag usage
6051 * Added support for private Kubernetes clusters by changing the CLI to
6052 connect to the control plane using a port-forward (thanks, @jackprice!)
6053 * Fixed `linkerd check` and `linkerd dashboard` failing when any control
6054 plane pod is not ready, even when multiple replicas exist (as in HA mode)
6055 * **New** Added a `linkerd edges` command that shows the source and
6056 destination name and identity for proxied connections, to assist in
6057 debugging
6058 * Tap can now be disabled for specific pods during injection by using the
6059 `--disable-tap` flag, or by using the `config.linkerd.io/disable-tap`
6060 annotation
6061 * Introduced pre-install healthcheck for clock skew (thanks, @matej-g!)
6062 * Added a JSON option to the `linkerd edges` command so that output is
6063 scripting friendly and can be parsed easily (thanks @alenkacz!)
6064 * Fixed an issue when Linkerd is installed with `--ha`, running `linkerd
6065 upgrade` without `--ha` will disable the high availability control plane
6066 * Fixed an issue with `linkerd upgrade` where running without `--ha` would
6067 unintentionally disable high availability features if they were previously
6068 enabled
6069 * Added a `--init-image-version` flag to `linkerd inject` to override the
6070 injected proxy-init container version
6071 * Added the `--linkerd-cni-enabled` flag to the `install` subcommands so
6072 that `NET_ADMIN` capability is omitted from the CNI-enabled control
6073 plane's PSP
6074 * Updated `linkerd check` to validate the caller can create
6075 `PodSecurityPolicy` resources
6076 * Added a check to `linkerd install` to prevent installing multiple control
6077 planes into different namespaces avoid conflicts between global resources
6078 * Added support for passing a URL directly to `linkerd inject` (thanks
6079 @Pothulapati!)
6080 * Added more descriptive output to the `linkerd check` output for control
6081 plane ReplicaSet readiness
6082 * Refactored the `linkerd endpoints` to use the same interface as used by
6083 the proxy for service discovery information
6084 * Fixed a bug where `linkerd inject` would fail when given a path to a file
6085 outside the current directory
6086 * Graduated high-availability support out of experimental status
6087 * Modified the error message for `linkerd install` to provide instructions
6088 for proceeding when an existing installation is found
6089* Controller
6090 * Added Go pprof HTTP endpoints to all control plane components' admin
6091 servers to better assist debugging efforts
6092 * Fixed bug in the proxy injector, where sporadically the pod workload owner
6093 wasn't properly determined, which would result in erroneous stats
6094 * Added support for a new `config.linkerd.io/disable-identity` annotation to
6095 opt out of identity for a specific pod
6096 * Fixed pod creation failure when a `ResourceQuota` exists by adding a
6097 default resource spec for the proxy-init init container
6098 * Fixed control plane components failing on startup when the Kubernetes API
6099 returns an `ErrGroupDiscoveryFailed`
6100 * Added Controller Component Labels to the webhook config resources (thanks,
6101 @Pothulapati!)
6102 * Moved the tap service into its own pod
6103 * **New** Control plane installations now generate a self-signed certificate
6104 and private key pair for each webhook, to prepare for future work to make
6105 the proxy injector and service profile validator HA
6106 * Added the `config.linkerd.io/enable-debug-sidecar` annotation allowing the
6107 `--enable-debug-sidecar` flag to work when auto-injecting Linkerd proxies
6108 * Added multiple replicas for the `proxy-injector` and `sp-validator`
6109 controllers when run in high availability mode (thanks to @Pothulapati!)
6110 * Defined least privilege default security context values for the proxy
6111 container so that auto-injection does not fail (thanks @codeman9!)
6112 * Default the webhook failure policy to `Fail` in order to account for
6113 unexpected errors during auto-inject; this ensures uninjected applications
6114 are not deployed
6115 * Introduced control plane's PSP and RBAC resources into Helm templates;
6116 these policies are only in effect if the PSP admission controller is
6117 enabled
6118 * Removed `UPDATE` operation from proxy-injector webhook because pod
6119 mutations are disallowed during update operations
6120 * Default the mutating and validating webhook configurations `sideEffects`
6121 property to `None` to indicate that the webhooks have no side effects on
6122 other resources (thanks @Pothulapati!)
6123 * Added support for the SMI TrafficSplit API which allows users to define
6124 traffic splits in TrafficSplit custom resources
6125 * Added the `linkerd.io/control-plane-ns` label to all Linkerd resources
6126 allowing them to be identified using a label selector
6127 * Added Prometheus metrics for the Kubernetes watchers in the destination
6128 service for better visibility
6129* Proxy
6130 * Replaced the fixed reconnect backoff with an exponential one (thanks,
6131 @zaharidichev!)
6132 * Fixed an issue where load balancers can become stuck
6133 * Added a dispatch timeout that limits the amount of time a request can be
6134 buffered in the proxy
6135 * Removed the limit on the number of concurrently active service discovery
6136 queries to the destination service
6137 * Fix an epoll notification issue that could cause excessive CPU usage
6138 * Added the ability to disable tap by setting an env var (thanks,
6139 @zaharidichev!)
6140 * Changed the proxy's routing behavior so that, when the control plane does
6141 not resolve a destination, the proxy forwards the request with minimal
6142 additional routing logic
6143 * Fixed a bug in the proxy's HPACK codec that could cause requests with very
6144 large header values to hang indefinitely
6145 * Fixed a memory leak that can occur if an HTTP/2 request with a payload
6146 ends before the entire payload is sent to the destination
6147 * The `l5d-override-dst` header is now used for inbound service profile
6148 discovery
6149 * Added errors totals to `response_total` metrics
6150 * Changed the load balancer to require that Kubernetes services are resolved
6151 via the control plane
6152 * Added the `NET_RAW` capability to the proxy-init container to be
6153 compatible with `PodSecurityPolicy`s that use `drop: all`
6154 * Fixed the proxy rejecting HTTP2 requests that don't have an `:authority`
6155 * Improved idle service eviction to reduce resource consumption for clients
6156 that send requests to many services
6157 * Fixed proxied HTTP/2 connections returning 502 errors when the upstream
6158 connection is reset, rather than propagating the reset to the client
6159 * Changed the proxy to treat unexpected HTTP/2 frames as stream errors
6160 rather than connection errors
6161 * Fixed a bug where DNS queries could persist longer than necessary
6162 * Improved router eviction to remove idle services in a more timely manner
6163 * Fixed a bug where the proxy would fail to process requests with obscure
6164 characters in the URI
6165* Web UI
6166 * Added the Font Awesome stylesheet locally; this allows both Font Awesome
6167 and Material-UI sidebar icons to display consistently with no/limited
6168 internet access (thanks again, @liquidslr!)
6169 * Removed the Authorities table and sidebar link from the dashboard to
6170 prepare for a new, improved dashboard view communicating authority data
6171 * Fixed dashboard behavior that caused incorrect table sorting
6172 * Removed the "Debug" page from the Linkerd dashboard while the
6173 functionality of that page is being redesigned
6174 * Added an Edges table to the resource detail view that shows the source,
6175 destination name, and identity for proxied connections
6176 * Improved UI for Edges table in dashboard by changing column names, adding
6177 a "Secured" icon and showing an empty Edges table in the case of no
6178 returned edges
6179* Internal
6180 * Known container errors were hidden in the integration tests; now they are
6181 reported in the output without having the tests fail
6182 * Fixed integration tests by adding known proxy-injector log warning to
6183 tests
6184 * Modified the integration test for `linkerd upgrade` in order to test
6185 upgrading from the latest stable release instead of the latest edge and
6186 reflect the typical use case
6187 * Moved the proxy-init container to a separate `linkerd/proxy-init` Git
6188 repository
6189
6190## edge-19.7.3
6191
6192* CLI
6193 * Graduated high-availability support out of experimental status
6194 * Modified the error message for `linkerd install` to provide instructions
6195 for proceeding when an existing installation is found
6196* Controller
6197 * Added Prometheus metrics for the Kubernetes watchers in the destination
6198 service for better visibility
6199
6200## edge-19.7.2
6201
6202* CLI
6203 * Refactored the `linkerd endpoints` to use the same interface as used by
6204 the proxy for service discovery information
6205 * Fixed a bug where `linkerd inject` would fail when given a path to a file
6206 outside the current directory
6207* Proxy
6208 * Fixed a bug where DNS queries could persist longer than necessary
6209 * Improved router eviction to remove idle services in a more timely manner
6210 * Fixed a bug where the proxy would fail to process requests with obscure
6211 characters in the URI
6212
6213## edge-19.7.1
6214
6215* CLI
6216 * Added more descriptive output to the `linkerd check` output for control
6217 plane ReplicaSet readiness
6218 * **Breaking change** Renamed `config.linkerd.io/debug` annotation to
6219 `config.linkerd.io/enable-debug-sidecar`, to match the
6220 `--enable-debug-sidecar` CLI flag that sets it
6221 * Fixed a bug in `linkerd edges` that caused incorrect identities to be
6222 displayed when requests were sent from two or more namespaces
6223* Controller
6224 * Added the `linkerd.io/control-plane-ns` label to the SMI Traffic Split CRD
6225* Proxy
6226 * Fixed proxied HTTP/2 connections returning 502 errors when the upstream
6227 connection is reset, rather than propagating the reset to the client
6228 * Changed the proxy to treat unexpected HTTP/2 frames as stream errors
6229 rather than connection errors
6230
6231## edge-19.6.4
6232
6233This release adds support for the SMI [Traffic
6234Split](https://github.com/deislabs/smi-spec/blob/master/traffic-split.md) API.
6235Creating a TrafficSplit resource will cause Linkerd to split traffic between
6236the specified backend services. Please see [the
6237spec](https://github.com/deislabs/smi-spec/blob/master/traffic-split.md) for
6238more details.
6239
6240* CLI
6241 * Added a check to `install` to prevent installing multiple control planes
6242 into different namespaces
6243 * Added support for passing a URL directly to `linkerd inject` (thanks
6244 @Pothulapati!)
6245 * Added the `--all-namespaces` flag to `linkerd edges`
6246* Controller
6247 * Added support for the SMI TrafficSplit API which allows users to define
6248 traffic splits in TrafficSplit custom resources
6249* Web UI
6250 * Improved UI for Edges table in dashboard by changing column names, adding
6251 a "Secured" icon and showing an empty Edges table in the case of no
6252 returned edges
6253
6254## edge-19.6.3
6255
6256* CLI
6257 * Updated `linkerd check` to validate the caller can create
6258 `PodSecurityPolicy` resources
6259* Controller
6260 * Default the mutating and validating webhook configurations `sideEffects`
6261 property to `None` to indicate that the webhooks have no side effects on
6262 other resources (thanks @Pothulapati!)
6263* Proxy
6264 * Added the `NET_RAW` capability to the proxy-init container to be
6265 compatible with `PodSecurityPolicy`s that use `drop: all`
6266 * Fixed the proxy rejecting HTTP2 requests that don't have an `:authority`
6267 * Improved idle service eviction to reduce resource consumption for clients
6268 that send requests to many services
6269* Web UI
6270 * Removed the "Debug" page from the Linkerd dashboard while the
6271 functionality of that page is being redesigned
6272 * Added an Edges table to the resource detail view that shows the source,
6273 destination name, and identity for proxied connections
6274
6275## edge-19.6.2
6276
6277* CLI
6278 * Added the `--linkerd-cni-enabled` flag to the `install` subcommands so
6279 that `NET_ADMIN` capability is omitted from the CNI-enabled control
6280 plane's PSP
6281* Controller
6282 * Default to least-privilege security context values for the proxy container
6283 so that auto-inject does not fail on restricted PSPs (thanks @codeman9!)
6284 * Defined least privilege default security context values for the proxy
6285 container so that auto-injection does not fail on (thanks @codeman9!)
6286 * Default the webhook failure policy to `Fail` in order to account for
6287 unexpected errors during auto-inject; this ensures uninjected applications
6288 are not deployed
6289 * Introduced control plane's PSP and RBAC resources into Helm templates;
6290 these policies are only in effect if the PSP admission controller is
6291 enabled
6292 * Removed `UPDATE` operation from proxy-injector webhook because pod
6293 mutations are disallowed during update operations
6294* Proxy
6295 * The `l5d-override-dst` header is now used for inbound service profile
6296 discovery
6297 * Include errors in `response_total` metrics
6298 * Changed the load balancer to require that Kubernetes services are resolved
6299 via the control plane
6300* Web UI
6301 * Fixed dashboard behavior that caused incorrect table sorting
6302
6303## edge-19.6.1
6304
6305* CLI
6306 * Fixed an issue where, when Linkerd is installed with `--ha`, running
6307 `linkerd upgrade` without `--ha` will disable the high availability
6308 control plane
6309 * Added a `--init-image-version` flag to `linkerd inject` to override the
6310 injected proxy-init container version
6311* Controller
6312 * Added multiple replicas for the `proxy-injector` and `sp-validator`
6313 controllers when run in high availability mode (thanks to @Pothulapati!)
6314* Proxy
6315 * Fixed a memory leak that can occur if an HTTP/2 request with a payload
6316 ends before the entire payload is sent to the destination
6317* Internal
6318 * Moved the proxy-init container to a separate `linkerd/proxy-init` Git
6319 repository
6320
6321## stable-2.3.2
6322
6323This stable release fixes a memory leak in the proxy.
6324
6325To install this release, run: `curl https://run.linkerd.io/install | sh`
6326
6327**Full release notes**:
6328
6329* Proxy
6330 * Fixed a memory leak that can occur if an HTTP/2 request with a payload
6331 ends before the entire payload is sent to the destination
6332
6333## edge-19.5.4
6334
6335* CLI
6336 * Added a JSON option to the `linkerd edges` command so that output is
6337 scripting friendly and can be parsed easily (thanks @alenkacz!)
6338* Controller
6339 * **New** Control plane installations now generate a self-signed certificate
6340 and private key pair for each webhook, to prepare for future work to make
6341 the proxy injector and service profile validator HA
6342 * Added a debug container annotation, allowing the `--enable-debug-sidecar`
6343 flag to work when auto-injecting Linkerd proxies
6344* Proxy
6345 * Changed the proxy's routing behavior so that, when the control plane does
6346 not resolve a destination, the proxy forwards the request with minimal
6347 additional routing logic
6348 * Fixed a bug in the proxy's HPACK codec that could cause requests with very
6349 large header values to hang indefinitely
6350* Web UI
6351 * Removed the Authorities table and sidebar link from the dashboard to
6352 prepare for a new, improved dashboard view communicating authority data
6353* Internal
6354 * Modified the integration test for `linkerd upgrade` to test upgrading from
6355 the latest stable release instead of the latest edge, to reflect the
6356 typical use case
6357
6358## stable-2.3.1
6359
6360This stable release adds a number of proxy stability improvements.
6361
6362To install this release, run: `curl https://run.linkerd.io/install | sh`
6363
6364**Special thanks to**: @zaharidichev and @11Takanori!
6365
6366**Full release notes**:
6367
6368* Proxy
6369 * Changed the proxy's routing behavior so that, when the control plane does
6370 not resolve a destination, the proxy forwards the request with minimal
6371 additional routing logic
6372 * Fixed a bug in the proxy's HPACK codec that could cause requests with very
6373 large header values to hang indefinitely
6374 * Replaced the fixed reconnect backoff with an exponential one (thanks,
6375 @zaharidichev!)
6376 * Fixed an issue where requests could be held indefinitely by the load
6377 balancer
6378 * Added a dispatch timeout that limits the amount of time a request can be
6379 buffered in the proxy
6380 * Removed the limit on the number of concurrently active service discovery
6381 queries to the destination service
6382 * Fixed an epoll notification issue that could cause excessive CPU usage
6383 * Added the ability to disable tap by setting an env var (thanks,
6384 @zaharidichev!)
6385
6386## edge-19.5.3
6387
6388* CLI
6389 * **New** Added a `linkerd edges` command that shows the source and
6390 destination name and identity for proxied connections, to assist in
6391 debugging
6392 * Tap can now be disabled for specific pods during injection by using the
6393 `--disable-tap` flag, or by using the `config.linkerd.io/disable-tap`
6394 annotation
6395 * Introduced pre-install healthcheck for clock skew (thanks, @matej-g!)
6396* Controller
6397 * Added Controller Component Labels to the webhook config resources (thanks,
6398 @Pothulapati!)
6399 * Moved the tap service into its own pod
6400* Proxy
6401 * Fix an epoll notification issue that could cause excessive CPU usage
6402 * Added the ability to disable tap by setting an env var (thanks,
6403 @zaharidichev!)
6404
6405## edge-19.5.2
6406
6407* CLI
6408 * Fixed `linkerd check` and `linkerd dashboard` failing when any control
6409 plane pod is not ready, even when multiple replicas exist (as in HA mode)
6410* Controller
6411 * Fixed control plane components failing on startup when the Kubernetes API
6412 returns an `ErrGroupDiscoveryFailed`
6413* Proxy
6414 * Added a dispatch timeout that limits the amount of time a request can be
6415 buffered in the proxy
6416 * Removed the limit on the number of concurrently active service discovery
6417 queries to the destination service
6418
6419Special thanks to @zaharidichev for adding end to end tests for proxies with
6420TLS!
6421
6422## edge-19.5.1
6423
6424* CLI
6425 * Added a `linkerd check config` command for verifying that `linkerd install
6426 config` was successful
6427 * Improved the help documentation of `linkerd install` to clarify flag usage
6428 * Added support for private Kubernetes clusters by changing the CLI to
6429 connect to the control plane using a port-forward (thanks, @jackprice!)
6430* Controller
6431 * Fixed pod creation failure when a `ResourceQuota` exists by adding a
6432 default resource spec for the proxy-init init container
6433* Proxy
6434 * Replaced the fixed reconnect backoff with an exponential one (thanks,
6435 @zaharidichev!)
6436 * Fixed an issue where load balancers can become stuck
6437* Internal
6438 * Fixed integration tests by adding known proxy-injector log warning to
6439 tests
6440
6441## edge-19.4.5
6442
6443### Significant Update
6444
6445As of this edge release the proxy injector component is always installed. To
6446have the proxy injector inject a pod you still can manually add the
6447`linkerd.io/inject: enable` annotation into the pod spec, or at the namespace
6448level to have all your pods be injected by default. With this release the
6449behaviour of the `linkerd inject` command changes, where the proxy sidecar
6450container YAML is no longer included in its output by default, but instead it
6451will just add the annotations to defer the injection to the proxy injector.
6452For use cases that require the full injected YAML to be output, a new
6453`--manual` flag has been added.
6454
6455Another important update is the introduction of install stages. You still have
6456the old `linkerd install` command, but now it can be broken into `linkerd
6457install config` which installs the resources that require cluster-level
6458privileges, and `linkerd install control-plane` that continues with the
6459resources that only require namespace-level privileges. This also applies to
6460the `linkerd upgrade` command.
6461
6462* CLI
6463 * **Breaking Change** Removed the `--proxy-auto-inject` flag, as the proxy
6464 injector is now always installed
6465 * **Breaking Change** Replaced the `--linkerd-version` flag with the
6466 `--proxy-version` flag in the `linkerd install` and `linkerd upgrade`
6467 commands, which allows setting the version for the injected proxy sidecar
6468 image, without changing the image versions for the control plane
6469 * Introduced install stages: `linkerd install config` and `linkerd install
6470 control-plane`
6471 * Introduced upgrade stages: `linkerd upgrade config` and `linkerd upgrade
6472 control-plane`
6473 * Introduced a new `--from-manifests` flag to `linkerd upgrade` allowing
6474 manually feeding a previously saved output of `linkerd install` into the
6475 command, instead of requiring a connection to the cluster to fetch the
6476 config
6477 * Introduced a new `--manual` flag to `linkerd inject` to output the proxy
6478 sidecar container spec
6479 * Introduced a new `--enable-debug-sidecar` option to `linkerd inject`, that
6480 injects a debug sidecar to inspect traffic to and from the meshed pod
6481 * Added a new check for unschedulable pods and PSP issues (thanks,
6482 @liquidslr!)
6483 * Disabled the spinner in `linkerd check` when running without a TTY
6484 * Ensured the ServiceAccount for the proxy injector is created before its
6485 Deployment to avoid warnings when installing the proxy injector (thanks,
6486 @dwj300!)
6487
6488* Controller
6489 * Added Go pprof HTTP endpoints to all control plane components' admin
6490 servers to better assist debugging efforts
6491 * Fixed bug in the proxy injector, where sporadically the pod workload owner
6492 wasn't properly determined, which would result in erroneous stats
6493 * Added support for a new `config.linkerd.io/disable-identity` annotation to
6494 opt out of identity for a specific pod
6495
6496* Web UI
6497 * Added the Font Awesome stylesheet locally; this allows both Font Awesome
6498 and Material-UI sidebar icons to display consistently with no/limited
6499 internet access (thanks again, @liquidslr!)
6500
6501* Internal
6502 * Known container errors were hidden in the integration tests; now they are
6503 reported in the output, still without having the tests fail
6504
6505## stable-2.3.0
6506
6507This stable release introduces a new TLS-based service identity system into
6508the default Linkerd installation, replacing `--tls=optional` and the
6509`linkerd-ca` controller. Now, proxies generate ephemeral private keys into a
6510tmpfs directory and dynamically refresh certificates, authenticated by
6511Kubernetes ServiceAccount tokens, and tied to ServiceAccounts as the identity
6512primitive
6513
6514In this release, all meshed HTTP communication is private and authenticated by
6515default.
6516
6517Among the many improvements to the web dashboard, we've added a Community page
6518to surface news and updates from linkerd.io.
6519
6520For more details, see the announcement blog post:
6521<https://linkerd.io/2019/04/16/announcing-linkerd-2.3/>
6522
6523To install this release, run: `curl https://run.linkerd.io/install | sh`
6524
6525**Upgrade notes**: The `linkerd-ca` controller has been removed in favor of
6526the `linkerd-identity` controller. If you had previously installed Linkerd
6527with `--tls=optional`, manually delete the `linkerd-ca` deployment after
6528upgrading. Also, `--single-namespace` mode is no longer supported. For full
6529details on upgrading to this release, please see the [upgrade
6530instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-3-0).
6531
6532**Special thanks to**: @codeman9, @harsh-98, @huynq0911, @KatherineMelnyk,
6533@liquidslr, @paranoidaditya, @Pothulapati, @TwinProduction, and @yb172!
6534
6535**Full release notes**:
6536
6537* CLI
6538 * Introduced an `upgrade` command! This allows an existing Linkerd control
6539 plane to be reinstalled or reconfigured; it is particularly useful for
6540 automatically reusing flags set in the previous `install` or `upgrade`
6541 * Introduced the `linkerd metrics` command for fetching proxy metrics
6542 * **Breaking Change:** The `--linkerd-cni-enabled` flag has been removed
6543 from the `inject` command; CNI is configured at the cluster level with the
6544 `install` command and no longer applies to the `inject` command
6545 * **Breaking Change** Removed the `--disable-external-profiles` flag from
6546 the `install` command; external profiles are now disabled by default and
6547 can be enabled with the new `--enable-external-profiles` flag
6548 * **Breaking change** Removed the `--api-port` flag from the `inject` and
6549 `install` commands, since there's no benefit to running the control
6550 plane's destination API on a non-default port (thanks, @paranoidaditya)
6551 * **Breaking change** Removed the `--tls=optional` flag from the `linkerd
6552 install` command, since TLS is now enabled by default
6553 * Changed `install` to accept or generate an issuer Secret for the Identity
6554 controller
6555 * Changed `install` to fail in the case of a conflict with an existing
6556 installation; this can be disabled with the `--ignore-cluster` flag
6557 * Added the ability to adjust the Prometheus log level via
6558 `--controller-log-level`
6559 * Implemented `--proxy-cpu-limit` and `--proxy-memory-limit` for setting the
6560 proxy resources limits (`--proxy-cpu` and `--proxy-memory` were deprecated
6561 in favor of `proxy-cpu-request` and `proxy-memory-request`) (thanks
6562 @TwinProduction!)
6563 * Added a validator for the `--proxy-log-level` flag
6564 * Updated the `inject` and `uninject` subcommands to issue warnings when
6565 resources lack a `Kind` property (thanks @Pothulapati!)
6566 * The `inject` command proxy options are now converted into config
6567 annotations; the annotations ensure that these configs are persisted in
6568 subsequent resource updates
6569 * Changed `inject` to require fetching a configuration from the control
6570 plane; this can be disabled with the `--ignore-cluster` and
6571 `--disable-identity` flags, though this will prevent the injected pods
6572 from participating in mesh identity
6573 * Included kubectl version check as part of `linkerd check` (thanks @yb172!)
6574 * Updated `linkerd check` to ensure hint URLs are displayed for RPC checks
6575 * Fixed sporadic (and harmless) race condition error in `linkerd check`
6576 * Introduced a check for NET_ADMIN in `linkerd check`
6577 * Fixed permissions check for CRDs
6578 * Updated the `linkerd dashboard` command to serve the dashboard on a fixed
6579 port, allowing it to leverage browser local storage for user settings
6580 * Updated the `linkerd routes` command to display rows for routes that are
6581 not receiving any traffic
6582 * Added TCP stats to the stat command, under the `-o wide` and `-o json`
6583 flags
6584 * The `stat` command now always shows the number of open TCP connections
6585 * Removed TLS metrics from the `stat` command; this is in preparation for
6586 surfacing identity metrics in a clearer way
6587 * Exposed the `install-cni` command and its flags, and tweaked their
6588 descriptions
6589 * Eliminated false-positive vulnerability warnings related to go.uuid
6590* Controller
6591 * Added a new public API endpoint for fetching control plane configuration
6592 * **Breaking change** Removed support for running the control plane in
6593 single-namespace mode, which was severely limited in the number of
6594 features it supported due to not having access to cluster-wide resources;
6595 the end goal being Linkerd degrading gracefully depending on its
6596 privileges
6597 * Updated automatic proxy injection and CLI injection to support overriding
6598 inject defaults via pod spec annotations
6599 * Added support for the `config.linkerd.io/proxy-version` annotation on pod
6600 specs; this will override the injected proxy version
6601 * The auto-inject admission controller webhook is updated to watch pods
6602 creation and update events; with this change, proxy auto-injection now
6603 works for all kinds of workloads, including StatefulSets, DaemonSets,
6604 Jobs, etc
6605 * Service profile validation is now performed via a webhook endpoint; this
6606 prevents Kubernetes from accepting invalid service profiles
6607 * Changed the default CPU request from `10m` to `100m` for HA deployments;
6608 this will help some intermittent liveness/readiness probes from failing
6609 due to tight resource constraints
6610 * Updated destination service to return TLS identities only when the
6611 destination pod is TLS-aware and is in the same controller namespace
6612 * Lessen klog level to improve security
6613 * Updated control plane components to query Kubernetes at startup to
6614 determine authorized namespaces and if ServiceProfile support is available
6615 * Modified the stats payload to include the following TCP stats:
6616 `tcp_open_connections`, `tcp_read_bytes_total`, `tcp_write_bytes_total`
6617 * Instrumented clients in the control plane connecting to Kubernetes, thus
6618 providing better visibility for diagnosing potential problems with those
6619 connections
6620 * Renamed the "linkerd-proxy-api" service to "linkerd-destination"
6621 * Bumped Prometheus to version 2.7.1 and Grafana to version 5.4.3
6622* Proxy
6623 * Introduced per-proxy private key generation and dynamic certificate
6624 renewal
6625 * **Fixed** a connection starvation issue where TLS discovery detection on
6626 slow or idle connections could block all other connections from being
6627 accepted on the inbound listener of the proxy
6628 * **Fixed** a stream leak between the proxy and the control plane that could
6629 cause the `linkerd-controller` pod to use an excessive amount of memory
6630 * Added a readiness check endpoint on `:4191/ready` so that Kubernetes
6631 doesn't consider pods ready until they have acquired a certificate from
6632 the Identity controller
6633 * Some `l5d-*` informational headers have been temporarily removed from
6634 requests and responses because they could leak information to external
6635 clients
6636 * The proxy's connect timeouts have been updated, especially to improve
6637 reconnect behavior between the proxy and the control plane
6638 * Increased the inbound/router cap on MAX_CONCURRENT_STREAMS
6639 * The `l5d-remote-ip` header is now set on inbound requests and outbound
6640 responses
6641 * Fixed issue with proxy falling back to filesystem polling due to
6642 improperly sized inotify buffer
6643* Web UI
6644 * **New** Added a Community page to surface news and updates from linkerd.io
6645 * Added a Debug page to the web dashboard, allowing you to introspect
6646 service discovery state
6647 * The Overview page in the Linkerd dashboard now renders appropriately when
6648 viewed on mobile devices
6649 * Added filter functionality to the metrics tables
6650 * Added stable sorting for table rows
6651 * Added TCP stats to the Linkerd Pod Grafana dashboard
6652 * Added TCP stat tables on the namespace landing page and resource detail
6653 page
6654 * The topology graph now shows TCP stats if no HTTP stats are available
6655 * Improved table display on the resource detail page for resources with
6656 TCP-only traffic
6657 * Updated the resource detail page to start displaying a table with TCP
6658 stats
6659 * Modified the Grafana variable queries to use a TCP-based metric, so that
6660 if there is only TCP traffic then the dropdowns don't end up empty
6661 * Fixed sidebar not updating when resources were added/deleted (thanks
6662 @liquidslr!)
6663 * Added validation to the "new service profile" form (thanks @liquidslr!)
6664 * Added a Grafana dashboard and web tables for displaying Job stats (thanks,
6665 @Pothulapati!)
6666 * Removed TLS columns from the dashboard tables; this is in preparation for
6667 surfacing identity metrics in a clearer way
6668 * Fixed the behavior of the Top query 'Start' button if a user's query
6669 returns no data
6670 * Fixed an issue with the order of tables returned from a Top Routes query
6671 * Added text wrap for paths in the modal for expanded Tap query data
6672 * Fixed a quoting issue with service profile downloads (thanks, @liquidslr!)
6673 * Updated sorting of route table to move default routes to the bottom
6674 * Removed 'Help' hierarchy and surfaced links on navigation sidebar
6675 * Ensured that all the tooltips in Grafana displaying the series are shared
6676 across all the graphs
6677* Internals
6678 * Improved the `bin/go-run` script for the build process so that on failure,
6679 all associated background processes are terminated
6680 * Added more log errors to the integration tests
6681 * Removed the GOPATH dependence from the CLI dev environment
6682 * Consolidated injection code from CLI and admission controller code paths
6683 * Enabled the following linters: `unparam`, `unconvert`, `goimports`,
6684 `goconst`, `scopelint`, `unused`, `gosimple`
6685 * Bumped base Docker images
6686 * Added the flags `-update` and `-pretty-diff` to tests to allow overwriting
6687 fixtures and to print the full text of the fixtures upon mismatches
6688 * Introduced golangci-lint tooling, using `.golangci.yml` to centralize the
6689 config
6690 * Added a `-cover` parameter to track code coverage in go tests (more info
6691 in TEST.md)
6692 * Renamed a function in a test that was shadowing a go built-in function
6693 (thanks @huynq0911!)
6694
6695## edge-19.4.4
6696
6697* Proxy
6698 * **Fixed** a connection starvation issue where TLS discovery detection on
6699 slow or idle connections could block all other connections from being
6700 accepted on the inbound listener of the proxy
6701* CLI
6702 * **Fixed** `inject` to allow the `--disable-identity` flag to be used
6703 without having to specify the `--ignore-cluster` flag
6704* Web UI
6705 * The Overview page in the Linkerd dashboard now renders appropriately when
6706 viewed on mobile devices
6707
6708## edge-19.4.3
6709
6710* CLI
6711 * **Fixed** `linkerd upgrade` command not upgrading proxy containers (thanks
6712 @jon-walton for the issue report!)
6713 * **Fixed** `linkerd upgrade` command not installing the identity service
6714 when it was not already installed
6715 * Eliminate false-positive vulnerability warnings related to go.uuid
6716
6717Special thanks to @KatherineMelnyk for updating the web component to read the
6718UUID from the `linkerd-config` ConfigMap!
6719
6720## edge-19.4.2
6721
6722* CLI
6723 * Removed TLS metrics from the `stat` command; this is in preparation for
6724 surfacing identity metrics in a clearer way
6725 * The `upgrade` command now outputs a URL that explains next steps for
6726 upgrading
6727 * **Breaking Change:** The `--linkerd-cni-enabled` flag has been removed
6728 from the `inject` command; CNI is configured at the cluster level with the
6729 `install` command and no longer applies to the `inject` command
6730* Controller
6731 * Service profile validation is now performed via a webhook endpoint; this
6732 prevents Kubernetes from accepting invalid service profiles
6733 * Added support for the `config.linkerd.io/proxy-version` annotation on pod
6734 specs; this will override the injected proxy version
6735 * Changed the default CPU request from `10m` to `100m` for HA deployments;
6736 this will help some intermittent liveness/readiness probes from failing
6737 due to tight resource constraints
6738* Proxy
6739 * The `CommonName` field on CSRs is now set to the proxy's identity name
6740* Web UI
6741 * Removed TLS columns from the dashboard tables; this is in preparation for
6742 surfacing identity metrics in a clearer way
6743
6744## edge-19.4.1
6745
6746* CLI
6747 * Introduced an `upgrade` command! This allows an existing Linkerd control
6748 plane to be reinstalled or reconfigured; it is particularly useful for
6749 automatically reusing flags set in the previous `install` or `upgrade`
6750 * The `inject` command proxy options are now converted into config
6751 annotations; the annotations ensure that these configs are persisted in
6752 subsequent resource updates
6753 * The `stat` command now always shows the number of open TCP connections
6754 * **Breaking Change** Removed the `--disable-external-profiles` flag from
6755 the `install` command; external profiles are now disabled by default and
6756 can be enabled with the new `--enable-external-profiles` flag
6757* Controller
6758 * The auto-inject admission controller webhook is updated to watch pods
6759 creation and update events; with this change, proxy auto-injection now
6760 works for all kinds of workloads, including StatefulSets, DaemonSets,
6761 Jobs, etc
6762* Proxy
6763 * Some `l5d-*` informational headers have been temporarily removed from
6764 requests and responses because they could leak information to external
6765 clients
6766* Web UI
6767 * The topology graph now shows TCP stats if no HTTP stats are available
6768 * Improved table display on the resource detail page for resources with
6769 TCP-only traffic
6770 * Added validation to the "new service profile" form (thanks @liquidslr!)
6771
6772## edge-19.3.3
6773
6774### Significant Update
6775
6776This edge release introduces a new TLS Identity system into the default
6777Linkerd installation, replacing `--tls=optional` and the `linkerd-ca`
6778controller. Now, proxies generate ephemeral private keys into a tmpfs
6779directory and dynamically refresh certificates, authenticated by Kubernetes
6780ServiceAccount tokens, via the newly-introduced Identity controller.
6781
6782Now, all meshed HTTP communication is private and authenticated by default.
6783
6784* CLI
6785 * Changed `install` to accept or generate an issuer Secret for the Identity
6786 controller
6787 * Changed `install` to fail in the case of a conflict with an existing
6788 installation; this can be disabled with the `--ignore-cluster` flag
6789 * Changed `inject` to require fetching a configuration from the control
6790 plane; this can be disabled with the `--ignore-cluster` and
6791 `--disable-identity` flags, though this will prevent the injected pods
6792 from participating in mesh identity
6793 * **Breaking change** Removed the `--tls=optional` flag from the `linkerd
6794 install` command, since TLS is now enabled by default
6795 * Added the ability to adjust the Prometheus log level
6796* Proxy
6797 * **Fixed** a stream leak between the proxy and the control plane that could
6798 cause the `linkerd-controller` pod to use an excessive amount of memory
6799 * Introduced per-proxy private key generation and dynamic certificate
6800 renewal
6801 * Added a readiness check endpoint on `:4191/ready` so that Kubernetes
6802 doesn't consider pods ready until they have acquired a certificate from
6803 the Identity controller
6804 * The proxy's connect timeouts have been updated, especially to improve
6805 reconnect behavior between the proxy and the control plane
6806* Web UI
6807 * Added TCP stats to the Linkerd Pod Grafana dashboard
6808 * Fixed the behavior of the Top query 'Start' button if a user's query
6809 returns no data
6810 * Added stable sorting for table rows
6811 * Fixed an issue with the order of tables returned from a Top Routes query
6812 * Added text wrap for paths in the modal for expanded Tap query data
6813* Internal
6814 * Improved the `bin/go-run` script for the build process so that on failure,
6815 all associated background processes are terminated
6816
6817Special thanks to @liquidslr for many useful UI and log changes, and to
6818@mmalone and @sourishkrout at @smallstep for collaboration and advice on the
6819Identity system!
6820
6821## edge-19.3.2
6822
6823* Controller
6824 * **Breaking change** Removed support for running the control plane in
6825 single-namespace mode, which was severely limited in the number of
6826 features it supported due to not having access to cluster-wide resources
6827 * Updated automatic proxy injection and CLI injection to support overriding
6828 inject defaults via pod spec annotations
6829 * Added a new public API endpoint for fetching control plane configuration
6830* CLI
6831 * **Breaking change** Removed the `--api-port` flag from the `inject` and
6832 `install` commands, since there's no benefit to running the control
6833 plane's destination API on a non-default port (thanks, @paranoidaditya)
6834 * Introduced the `linkerd metrics` command for fetching proxy metrics
6835 * Updated the `linkerd routes` command to display rows for routes that are
6836 not receiving any traffic
6837 * Updated the `linkerd dashboard` command to serve the dashboard on a fixed
6838 port, allowing it to leverage browser local storage for user settings
6839* Web UI
6840 * **New** Added a Community page to surface news and updates from linkerd.io
6841 * Fixed a quoting issue with service profile downloads (thanks, @liquidslr!)
6842 * Added a Grafana dashboard and web tables for displaying Job stats (thanks,
6843 @Pothulapati!)
6844 * Updated sorting of route table to move default routes to the bottom
6845 * Added TCP stat tables on the namespace landing page and resource detail
6846 page
6847
6848## edge-19.3.1
6849
6850* CLI
6851 * Introduced a check for NET_ADMIN in `linkerd check`
6852 * Fixed permissions check for CRDs
6853 * Included kubectl version check as part of `linkerd check` (thanks @yb172!)
6854 * Added TCP stats to the stat command, under the `-o wide` and `-o json`
6855 flags
6856* Controller
6857 * Updated the `mutatingwebhookconfiguration` so that it is recreated when
6858 the proxy injector is restarted, so that the MWC always picks up the
6859 latest config template during version upgrade
6860* Proxy
6861 * Increased the inbound/router cap on MAX_CONCURRENT_STREAMS
6862 * The `l5d-remote-ip` header is now set on inbound requests and outbound
6863 responses
6864* Web UI
6865 * Fixed sidebar not updating when resources were added/deleted (thanks
6866 @liquidslr!)
6867 * Added filter functionality to the metrics tables
6868* Internal
6869 * Added more log errors to the integration tests
6870 * Removed the GOPATH dependence from the CLI dev environment
6871 * Consolidated injection code from CLI and admission controller code paths
6872
6873## edge-19.2.5
6874
6875* CLI
6876 * Updated `linkerd check` to ensure hint URLs are displayed for RPC checks
6877* Controller
6878 * Updated the auto-inject admission controller webhook to respond to UPDATE
6879 events for deployment workloads
6880 * Updated destination service to return TLS identities only when the
6881 destination pod is TLS-aware and is in the same controller namespace
6882 * Lessen klog level to improve security
6883 * Updated control plane components to query Kubernetes at startup to
6884 determine authorized namespaces and if ServiceProfile support is available
6885 * Modified the stats payload to include the following TCP stats:
6886 `tcp_open_connections`, `tcp_read_bytes_total`, `tcp_write_bytes_total`
6887* Proxy
6888 * Fixed issue with proxy falling back to filesystem polling due to
6889 improperly sized inotify buffer
6890* Web UI
6891 * Removed 'Help' hierarchy and surfaced links on navigation sidebar
6892 * Added a Debug page to the web dashboard, allowing you to introspect
6893 service discovery state
6894 * Updated the resource detail page to start displaying a table with TCP
6895 stats
6896* Internal
6897 * Enabled the following linters: `unparam`, `unconvert`, `goimports`,
6898 `goconst`, `scopelint`, `unused`, `gosimple`
6899 * Bumped base Docker images
6900
6901## stable-2.2.1
6902
6903This stable release polishes some of the CLI help text and fixes two issues
6904that came up since the stable-2.2.0 release.
6905
6906To install this release, run: `curl https://run.linkerd.io/install | sh`
6907
6908**Full release notes**:
6909
6910* CLI
6911 * Fixed handling of kubeconfig server urls that include paths
6912 * Updated the description of the `--proxy-auto-inject` flag to indicate that
6913 it is no longer experimental
6914 * Updated the `profile` help text to match the other commands
6915 * Added the "ep" alias for the `endpoints` command
6916* Controller
6917 * Stopped logging an error when a route doesn't specify a timeout
6918
6919## edge-19-2.4
6920
6921* CLI
6922 * Implemented `--proxy-cpu-limit` and `--proxy-memory-limit` for setting the
6923 proxy resources limits (`--proxy-cpu` and `--proxy-memory` were deprecated
6924 in favor of `proxy-cpu-request` and `proxy-memory-request`) (thanks
6925 @TwinProduction!)
6926 * Updated the `inject` and `uninject` subcommands to issue warnings when
6927 resources lack a `Kind` property (thanks @Pothulapati!)
6928 * Exposed the `install-cni` command and its flags, and tweaked their
6929 descriptions
6930 * Fixed handling of kubeconfig server urls that include paths
6931 * Updated the description of the `--proxy-auto-inject` flag to indicate that
6932 it is no longer experimental
6933 * Updated the `profile` help text to match the other commands
6934 * Added the "ep" alias for the `endpoints` command (also @Pothulapati!)
6935 * Added a validator for the `--proxy-log-level` flag
6936 * Fixed sporadic (and harmless) race condition error in `linkerd check`
6937* Controller
6938 * Instrumented clients in the control plane connecting to Kubernetes, thus
6939 providing better visibility for diagnosing potential problems with those
6940 connections
6941 * Stopped logging an error when a route doesn't specify a timeout
6942 * Renamed the "linkerd-proxy-api" service to "linkerd-destination"
6943 * Bumped Prometheus to version 2.7.1 and Grafana to version 5.4.3
6944* Web UI
6945 * Modified the Grafana variable queries to use a TCP-based metric, so that
6946 if there is only TCP traffic then the dropdowns don't end up empty
6947 * Ensured that all the tooltips in Grafana displaying the series are shared
6948 across all the graphs
6949* Internals
6950 * Added the flags `-update` and `-pretty-diff` to tests to allow overwriting
6951 fixtures and to print the full text of the fixtures upon mismatches
6952 * Introduced golangci-lint tooling, using `.golangci.yml` to centralize the
6953 config
6954 * Added a `-cover` parameter to track code coverage in go tests (more info
6955 in TEST.md)
6956 * Added integration tests for `--single-namespace`
6957 * Renamed a function in a test that was shadowing a go built-in function
6958 (thanks @huynq0911!)
6959
6960## stable-2.2.0
6961
6962This stable release introduces automatic request retries and timeouts, and
6963graduates auto-inject to be a fully-supported (non-experimental) feature. It
6964adds several new CLI commands, including `logs` and `endpoints`, that provide
6965diagnostic visibility into Linkerd's control plane. Finally, it introduces two
6966exciting experimental features: a cryptographically-secured client identity
6967header, and a CNI plugin that avoids the need for `NET_ADMIN` kernel
6968capabilities at deploy time.
6969
6970For more details, see the announcement blog post:
6971<https://blog.linkerd.io/2019/02/12/announcing-linkerd-2-2/>
6972
6973To install this release, run: `curl https://run.linkerd.io/install | sh`
6974
6975**Upgrade notes**: The default behavior for proxy auto injection and service
6976profile ownership has changed as part of this release. Please see the [upgrade
6977instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-2-0)
6978for more details.
6979
6980**Special thanks to**: @alenkacz, @codeman9, @jonrichards, @radu-matei,
6981@yeya24, and @zknill
6982
6983**Full release notes**:
6984
6985* CLI
6986 * Improved service profile validation when running `linkerd check` in order
6987 to validate service profiles in all namespaces
6988 * Added the `linkerd endpoints` command to introspect Linkerd's service
6989 discovery state
6990 * Added the `--tap` flag to `linkerd profile` to generate service profiles
6991 using the route results seen during the tap
6992 * Added support for the `linkerd.io/inject: disabled` annotation on pod
6993 specs to disable injection for specific pods when running `linkerd inject`
6994 * Added support for `basePath` in OpenAPI 2.0 files when running `linkerd
6995 profile --open-api`
6996 * Increased `linkerd check` client timeout from 5 seconds to 30 seconds to
6997 fix issues for clusters with slow API servers
6998 * Updated `linkerd routes` to no longer return rows for `ExternalName`
6999 services in the namespace
7000 * Broadened the set of valid URLs when connecting to the Kubernetes API
7001 * Added the `--proto` flag to `linkerd profile` to output a service profile
7002 based on a Protobuf spec file
7003 * Fixed CLI connection failures to clusters that use self-signed
7004 certificates
7005 * Simplified `linkerd install` so that setting up proxy auto-injection (flag
7006 `--proxy-auto-inject`) no longer requires enabling TLS (flag `--tls`)
7007 * Added links for each `linkerd check` failure, pointing to a relevant
7008 section in our new FAQ page with resolution steps for each case
7009 * Added optional `linkerd install-sp` command to generate service profiles
7010 for the control plane, providing per-route metrics for control plane
7011 components
7012 * Removed `--proxy-bind-timeout` flag from `linkerd install` and `linkerd
7013 inject`, as the proxy no longer accepts this environment variable
7014 * Improved CLI appearance on Windows systems
7015 * Improved `linkerd check` output, fixed bug with `--single-namespace`
7016 * Fixed panic when `linkerd routes` is called in single-namespace mode
7017 * Added `linkerd logs` command to surface logs from any container in the
7018 Linkerd control plane
7019 * Added `linkerd uninject` command to remove the Linkerd proxy from a
7020 Kubernetes config
7021 * Improved `linkerd inject` to re-inject a resource that already has a
7022 Linkerd proxy
7023 * Improved `linkerd routes` to list all routes, including those without
7024 traffic
7025 * Improved readability in `linkerd check` and `linkerd inject` outputs
7026 * Adjusted the set of checks that are run before executing CLI commands,
7027 which allows the CLI to be invoked even when the control plane is not
7028 fully ready
7029 * Fixed reporting of injected resources when the `linkerd inject` command is
7030 run on `List` type resources with multiple items
7031 * Updated the `linkerd dashboard` command to use port-forwarding instead of
7032 proxying when connecting to the web UI and Grafana
7033 * Added validation for the `ServiceProfile` CRD
7034 * Updated the `linkerd check` command to disallow setting both the `--pre`
7035 and `--proxy` flags simultaneously
7036 * Added `--routes` flag to the `linkerd top` command, for grouping table
7037 rows by route instead of by path
7038 * Updated Prometheus configuration to automatically load `*_rules.yml` files
7039 * Removed TLS column from the `linkerd routes` command output
7040 * Updated `linkerd install` output to use non-default service accounts,
7041 `emptyDir` volume mounts, and non-root users
7042 * Removed cluster-wide resources from single-namespace installs
7043 * Fixed resource requests for proxy-injector container in `--ha` installs
7044* Controller
7045 * Fixed issue with auto-injector not setting the proxy ID, which is required
7046 to successfully locate client service profiles
7047 * Added full stat and tap support for DaemonSets and StatefulSets in the
7048 CLI, Grafana, and web UI
7049 * Updated auto-injector to use the proxy log level configured at install
7050 time
7051 * Fixed issue with auto-injector including TLS settings in injected pods
7052 even when TLS was not enabled
7053 * Changed automatic proxy injection to be opt-in via the `linkerd.io/inject`
7054 annotation on the pod or namespace
7055 * Move service profile definitions to client and server namespaces, rather
7056 than the control plane namespace
7057 * Added `linkerd.io/created-by` annotation to the linkerd-cni DaemonSet
7058 * Added a 10 second keepalive default to resolve dropped connections in
7059 Azure environments
7060 * Improved node selection for installing the linkerd-cni DaemonSet
7061 * Corrected the expected controller identity when configuring pods with TLS
7062 * Modified klog to be verbose when controller log-level is set to `debug`
7063 * Added support for retries and timeouts, configured directly in the service
7064 profile for each route
7065 * Added an experimental CNI plugin to avoid requiring the NET_ADMIN
7066 capability when injecting proxies
7067 * Improved the API for `ListPods`
7068 * Fixed `GetProfiles` API call not returning immediately when no profile
7069 exists (resulting in proxies logging warnings)
7070 * Blocked controller initialization until caches have synced with kube API
7071 * Fixed proxy-api handling of named target ports in service configs
7072 * Added parameter to stats API to skip retrieving prometheus stats
7073* Web UI
7074 * Updated navigation to link the Linkerd logo back to the Overview page
7075 * Fixed console warnings on the Top page
7076 * Grayed-out the tap icon for requests from sources that are not meshed
7077 * Improved resource detail pages to show all resource types
7078 * Fixed stats not appearing for routes that have service profiles installed
7079 * Added "meshed" and "no traffic" badges on the resource detail pages
7080 * Fixed `linkerd dashboard` to maintain proxy connection when browser open
7081 fails
7082 * Fixed JavaScript bundling to avoid serving old versions after upgrade
7083 * Reduced the size of the webpack JavaScript bundle by nearly 50%
7084 * Fixed an indexing error on the top results page
7085 * Restored unmeshed resources in the network graph on the resource detail
7086 page
7087 * Adjusted label for unknown routes in route tables, added tooltip
7088 * Updated Top Routes page to persist form settings in URL
7089 * Added button to create new service profiles on Top Routes page
7090 * Fixed CLI commands displayed when linkerd is running in non-default
7091 namespace
7092* Proxy
7093 * Modified the way in which canonicalization warnings are logged to reduce
7094 the overall volume of error logs and make it clearer when failures occur
7095 * Added TCP keepalive configuration to fix environments where peers may
7096 silently drop connections
7097 * Updated the `Get` and `GetProfiles` APIs to accept a `proxy_id` parameter
7098 in order to return more tailored results
7099 * Removed TLS fallback-to-plaintext if handshake fails
7100 * Added the ability to override a proxy's normal outbound routing by adding
7101 an `l5d-override-dst` header
7102 * Added `LINKERD2_PROXY_DNS_CANONICALIZE_TIMEOUT` environment variable to
7103 customize the timeout for DNS queries to canonicalize a name
7104 * Added support for route timeouts in service profiles
7105 * Improved logging for gRPC errors and for malformed HTTP/2 request headers
7106 * Improved log readability by moving some noisy log messages to more verbose
7107 log levels
7108 * Fixed a deadlock in HTTP/2 stream reference counts
7109 * Updated the proxy-init container to exit with a non-zero exit code if
7110 initialization fails, making initialization errors much more visible
7111 * Fixed a memory leak due to leaked UDP sockets for failed DNS queries
7112 * Improved configuration of the PeakEwma load balancer
7113 * Improved handling of ports configured to skip protocol detection when the
7114 proxy is running with TLS enabled
7115
7116## edge-19.2.3
7117
7118* Controller
7119 * Fixed issue with auto-injector not setting the proxy ID, which is required
7120 to successfully locate client service profiles
7121* Web UI
7122 * Updated navigation to link the Linkerd logo back to the Overview page
7123 * Fixed console warnings on the Top page
7124
7125## edge-19.2.2
7126
7127* CLI
7128 * Improved service profile validation when running `linkerd check` in order
7129 to validate service profiles in all namespaces
7130* Controller
7131 * Added stat and tap support for StatefulSets in the CLI, Grafana, and web
7132 UI
7133 * Updated auto-injector to use the proxy log level configured at install
7134 time
7135 * Fixed issue with auto-injector including TLS settings in injected pods
7136 even when TLS was not enabled
7137* Proxy
7138 * Modified the way in which canonicalization warnings are logged to reduce
7139 the overall volume of error logs and make it clearer when failures occur
7140
7141## edge-19.2.1
7142
7143* Controller
7144 * **Breaking change** Changed automatic proxy injection to be opt-in via the
7145 `linkerd.io/inject` annotation on the pod or namespace. More info:
7146 <https://linkerd.io/2/proxy-injection/>
7147 * **Breaking change** `ServiceProfile`s are now defined in client and server
7148 namespaces, rather than the control plane namespace. `ServiceProfile`s
7149 defined in the client namespace take priority over ones defined in the
7150 server namespace
7151 * Added `linkerd.io/created-by` annotation to the linkerd-cni DaemonSet
7152 (thanks @codeman9!)
7153 * Added a 10 second keepalive default to resolve dropped connections in
7154 Azure environments
7155 * Improved node selection for installing the linkerd-cni DaemonSet (thanks
7156 @codeman9!)
7157 * Corrected the expected controller identity when configuring pods with TLS
7158 * Modified klog to be verbose when controller log-level is set to `Debug`
7159* CLI
7160 * Added the `linkerd endpoints` command to introspect Linkerd's service
7161 discovery state
7162 * Added the `--tap` flag to `linkerd profile` to generate a `ServiceProfile`
7163 by using the route results seen during the tap
7164 * Added support for the `linkerd.io/inject: disabled` annotation on pod
7165 specs to disable injection for specific pods when running `linkerd inject`
7166 * Added support for `basePath` in OpenAPI 2.0 files when running `linkerd
7167 profile --open-api`
7168 * Increased `linkerd check` client timeout from 5 seconds to 30 seconds to
7169 fix issues for clusters with a slower API server
7170 * `linkerd routes` will no longer return rows for `ExternalName` services in
7171 the namespace
7172 * Broadened set of valid URLs when connecting to the Kubernetes API
7173 * Improved `ServiceProfile` field validation in `linkerd check`
7174* Proxy
7175 * Added TCP keepalive configuration to fix environments where peers may
7176 silently drop connections
7177 * The `Get` and `GetProfiles` API now accept a `proxy_id` parameter in order
7178 to return more tailored results
7179 * Removed TLS fallback-to-plaintext if handshake fails
7180
7181## edge-19.1.4
7182
7183* Controller
7184 * Added support for timeouts! Configurable in the service profiles for each
7185 route
7186 * Added an experimental CNI plugin to avoid requiring the NET_ADMIN
7187 capability when injecting proxies (more details at
7188 <https://linkerd.io/2/cni)> (thanks @codeman9!)
7189 * Added more improvements to the API for `ListPods` (thanks @alenkacz!)
7190* Web UI
7191 * Grayed-out the tap icon for requests from sources that are not meshed
7192* CLI
7193 * Added the `--proto` flag to `linkerd profile` to output a service profile
7194 based on a Protobuf spec file
7195 * Fixed CLI connection failure to clusters that use self-signed certificates
7196 * Simplified `linkerd install` so that setting up proxy auto-injection (flag
7197 `--proxy-auto-inject`) no longer requires enabling TLS (flag `--tls`)
7198 * Added links for each `linkerd check` failure, pointing to a relevant
7199 section in our new FAQ page with resolution steps for each case
7200
7201## edge-19.1.3
7202
7203* Controller
7204 * Improved API for `ListPods` (thanks @alenkacz!)
7205 * Fixed `GetProfiles` API call not returning immediately when no profile
7206 exists (resulting in proxies logging warnings)
7207* Web UI
7208 * Improved resource detail pages now show all resource types
7209 * Fixed stats not appearing for routes that have service profiles installed
7210* CLI
7211 * Added optional `linkerd install-sp` command to generate service profiles
7212 for the control plane, providing per-route metrics for control plane
7213 components
7214 * Removed `--proxy-bind-timeout` flag from `linkerd install` and `linkerd
7215 inject` commands, as the proxy no longer accepts this environment variable
7216 * Improved CLI appearance on Windows systems
7217 * Improved `linkerd check` output, fixed check bug when using
7218 `--single-namespace` (thanks to @djeeg for the bug report!)
7219 * Improved `linkerd stat` now supports DaemonSets (thanks @zknill!)
7220 * Fixed panic when `linkerd routes` is called in single-namespace mode
7221* Proxy
7222 * Added the ability to override a proxy's normal outbound routing by adding
7223 an `l5d-override-dst` header
7224 * Added `LINKERD2_PROXY_DNS_CANONICALIZE_TIMEOUT` environment variable to
7225 customize the timeout for DNS queries to canonicalize a name
7226 * Added support for route timeouts in service profiles
7227 * Improved logging for gRPC errors and for malformed HTTP/2 request headers
7228 * Improved log readability by moving some noisy log messages to more verbose
7229 log levels
7230
7231## edge-19.1.2
7232
7233* Controller
7234 * Retry support! Introduce an `isRetryable` property to service profiles to
7235 enable configuring retries on a per-route basis
7236* Web UI
7237 * Add "meshed" and "no traffic" badges on the resource detail pages
7238 * Fix `linkerd dashboard` to maintain proxy connection when browser open
7239 fails
7240 * Fix JavaScript bundling to avoid serving old versions after upgrade
7241* CLI
7242 * Add `linkerd logs` command to surface logs from any container in the
7243 Linkerd control plane (shout out to
7244 [Stern](https://github.com/wercker/stern)!)
7245 * Add `linkerd uninject` command to remove the Linkerd proxy from a
7246 Kubernetes config
7247 * Improve `linkerd inject` to re-inject a resource that already has a
7248 Linkerd proxy
7249 * Improve `linkerd routes` to list all routes, including those without
7250 traffic
7251 * Improve readability in `linkerd check` and `linkerd inject` outputs
7252* Proxy
7253 * Fix a deadlock in HTTP/2 stream reference counts
7254
7255## edge-19.1.1
7256
7257* CLI
7258 * Adjust the set of checks that are run before executing CLI commands, which
7259 allows the CLI to be invoked even when the control plane is not fully
7260 ready
7261 * Fix reporting of injected resources when the `linkerd inject` command is
7262 run on `List` type resources with multiple items
7263 * Update the `linkerd dashboard` command to use port-forwarding instead of
7264 proxying when connecting to the web UI and Grafana
7265 * Add validation for the `ServiceProfile` CRD (thanks, @alenkacz!)
7266 * Update the `linkerd check` command to disallow setting both the `--pre`
7267 and `--proxy` flags simultaneously (thanks again, @alenkacz!)
7268* Web UI
7269 * Reduce the size of the webpack JavaScript bundle by nearly 50%!
7270 * Fix an indexing error on the top results page
7271* Proxy
7272 * **Fixed** The proxy-init container now exits with a non-zero exit code if
7273 initialization fails, making initialization errors much more visible
7274 * **Fixed** The proxy previously leaked UDP sockets for failed DNS queries,
7275 causing a memory leak; this has been fixed
7276
7277## edge-18.12.4
7278
7279Upgrade notes: The control plane components have been renamed as of the
7280edge-18.12.1 release to reduce possible naming collisions. To upgrade an older
7281installation, see the [Upgrade Guide](https://linkerd.io/2/upgrade/).
7282
7283* CLI
7284 * Add `--routes` flag to the `linkerd top` command, for grouping table rows
7285 by route instead of by path
7286 * Update Prometheus configuration to automatically load `*_rules.yml` files
7287 * Remove TLS column from the `linkerd routes` command output
7288* Web UI
7289 * Restore unmeshed resources in the network graph on the resource detail
7290 page
7291 * Reduce the overall size of the asset bundle for the web frontend
7292* Proxy
7293 * Improve configuration of the PeakEwma load balancer
7294
7295Special thanks to @radu-matei for cleaning up a whole slew of Go lint
7296warnings, and to @jonrichards for improving the Rust build setup!
7297
7298## edge-18.12.3
7299
7300Upgrade notes: The control plane components have been renamed as of the
7301edge-18.12.1 release to reduce possible naming collisions. To upgrade an older
7302installation, see the [Upgrade Guide](https://linkerd.io/2/upgrade/).
7303
7304* CLI
7305 * Multiple improvements to the `linkerd install` config (thanks @codeman9!)
7306 * Use non-default service accounts for grafana and web deployments
7307 * Use `emptyDir` volume mount for prometheus and grafana pods
7308 * Set security context on control plane components to not run as root
7309 * Remove cluster-wide resources from single-namespace installs
7310 * Disable service profiles in single-namespace mode
7311 * Require that namespace already exist for single-namespace installs
7312 * Fix resource requests for proxy-injector container in `--ha` installs
7313* Controller
7314 * Block controller initialization until caches have synced with kube API
7315 * Fix proxy-api handling of named target ports in service configs
7316 * Add parameter to stats API to skip retrieving prometheus stats (thanks,
7317 @alpeb!)
7318* Web UI
7319 * Adjust label for unknown routes in route tables, add tooltip
7320 * Update Top Routes page to persist form settings in URL
7321 * Add button to create new service profiles on Top Routes page
7322 * Fix CLI commands displayed when linkerd is running in non-default
7323 namespace
7324* Proxy
7325 * Proxies with TLS enabled now honor ports configured to skip protocol
7326 detection
7327
7328## stable-2.1.0
7329
7330This stable release introduces several major improvements, including per-route
7331metrics, service profiles, and a vastly improved dashboard UI. It also adds
7332several significant experimental features, including proxy auto-injection,
7333single namespace installs, and a high-availability mode for the control plane.
7334
7335For more details, see the announcement blog post:
7336<https://blog.linkerd.io/2018/12/06/announcing-linkerd-2-1/>
7337
7338To install this release, run: `curl https://run.linkerd.io/install | sh`
7339
7340**Upgrade notes**: The control plane components have been renamed in this
7341release to reduce possible naming collisions. Please make sure to read the
7342[upgrade
7343instructions](https://linkerd.io/2/upgrade/#upgrade-notice-stable-2-1-0) if
7344you are upgrading from the `stable-2.0.0` release.
7345
7346**Special thanks to**: @alenkacz, @alpeb, @benjdlambert, @fahrradflucht,
7347@ffd2subroutine, @hypnoglow, @ihcsim, @lucab, and @rochacon
7348
7349**Full release notes**:
7350
7351* CLI
7352 * `linkerd routes` command displays per-route stats for _any resource_
7353 * Service profiles are now supported for external authorities
7354 * `linkerd routes --open-api` flag generates a service profile based on an
7355 OpenAPI specification (swagger) file
7356 * `linkerd routes` command displays per-route stats for services with
7357 service profiles
7358 * Add `--ha` flag to `linkerd install` command, for HA deployment of the
7359 control plane
7360 * Update stat command to accept multiple stat targets
7361 * Fix authority stat filtering when the `--from` flag is present
7362 * Various improvements to check command, including:
7363 * Emit warnings instead of errors when not running the latest version
7364 * Add retries if control plane health check fails initially
7365 * Run all pre-install RBAC checks, instead of stopping at first failure
7366 * Fixed an issue with the `--registry` install flag not accepting hosts with
7367 ports
7368 * Added an `--output` stat flag, for printing stats as JSON
7369 * Updated the `top` table to set column widths dynamically
7370 * Added a `--single-namespace` install flag for installing the control plane
7371 with Role permissions instead of ClusterRole permissions
7372 * Added a `--proxy-auto-inject` flag to the `install` command, allowing for
7373 auto-injection of sidecar containers
7374 * Added `--proxy-cpu` and `--proxy-memory` flags to the `install` and
7375 `inject` commands, giving the ability to configure CPU + Memory requests
7376 * Added a `--context` flag to specify the context to use to talk to the
7377 Kubernetes apiserver
7378 * The namespace in which Linkerd is installed is configurable via the
7379 `LINKERD_NAMESPACE` env var, in addition to the `--linkerd-namespace` flag
7380 * The wait time for the `check` and `dashboard` commands is configurable via
7381 the `--wait` flag
7382 * The `top` command now aggregates by HTTP method as well
7383* Controller
7384 * Rename snake case fields to camel case in service profile spec
7385 * Controller components are now prefixed with `linkerd-` to prevent name
7386 collisions with existing resources
7387 * `linkerd install --disable-h2-upgrade` flag has been added to control
7388 automatic HTTP/2 upgrading
7389 * Fix auto injection issue on Kubernetes `v1.9.11` that would merge, rather
7390 than append, the proxy container into the application
7391 * Fixed a few issues with auto injection via the proxy-injector webhook:
7392 * Injected pods now execute the linkerd-init container last, to avoid
7393 rerouting requests during pod init
7394 * Original pod labels and annotations are preserved when auto-injecting
7395 * CLI health check now uses unified endpoint for data plane checks
7396 * Include Licence files in all Docker images
7397* Proxy
7398 * The proxy's `tap` subsystem has been reimplemented to be more efficient
7399 and and reliable
7400 * The proxy now supports route metadata in tap queries and events
7401 * A potential HTTP/2 window starvation bug has been fixed
7402 * Prometheus counters now wrap properly for values greater than 2^53
7403 * Add controller client metrics, scoped under `control_`
7404 * Canonicalize outbound names via DNS for inbound profiles
7405 * Fix routing issue when a pod makes a request to itself
7406 * Only include `classification` label on `response_total` metric
7407 * Remove panic when failing to get remote address
7408 * Better logging in TCP connect error messages
7409* Web UI
7410 * Top routes page, served at `/routes`
7411 * Route metrics are now available in the resource detail pages for services
7412 with configured profiles
7413 * Service profiles can be created and downloaded from the Web UI
7414 * Top Routes page, served at `/routes`
7415 * Fixed a smattering of small UI issues
7416 * Added a new Grafana dashboard for authorities
7417 * Revamped look and feel of the Linkerd dashboard by switching component
7418 libraries from antd to material-ui
7419 * Added a Help section in the sidebar containing useful links
7420 * Tap and Top pages
7421 * Added clear button to query form
7422 * Resource Detail pages
7423 * Limit number of resources shown in the graph
7424 * Resource Detail page
7425 * Better rendering of the dependency graph at the top of the page
7426 * Unmeshed sources are now populated in the Inbound traffic table
7427 * Sources and destinations are aligned in the popover
7428 * Tap and Top pages
7429 * Additional validation and polish for the form controls
7430 * The top table clears older results when a new top call is started
7431 * The top table now aggregates by HTTP method as well
7432
7433## edge-18.12.2
7434
7435Upgrade notes: The control plane components have been renamed as of the
7436edge-18.12.1 release to reduce possible naming collisions. To upgrade an older
7437installation, see the [Upgrade Guide](https://linkerd.io/2/upgrade/).
7438
7439* Controller
7440 * Rename snake case fields to camel case in service profile spec
7441
7442## edge-18.12.1
7443
7444Upgrade notes: The control plane components have been renamed in this release
7445to reduce possible naming collisions. To upgrade an existing installation:
7446
7447* Install new CLI: `curl https://run.linkerd.io/install-edge | sh`
7448* Install new control plane: `linkerd install | kubectl apply -f -`
7449* Remove old deploys/cms: `kubectl -n linkerd get deploy,cm -oname | grep -v
7450 linkerd | xargs kubectl -n linkerd delete`
7451* Re-inject your applications: `linkerd inject my-app.yml | kubectl apply -f
7452 -`
7453* Remove old services: `kubectl -n linkerd get svc -oname | grep -v linkerd |
7454 xargs kubectl -n linkerd delete`
7455
7456For more information, see the [Upgrade Guide](https://linkerd.io/2/upgrade/).
7457
7458* CLI
7459 * **Improved** `linkerd routes` command displays per-route stats for _any
7460 resource_!
7461 * **New** Service profiles are now supported for external authorities!
7462 * **New** `linkerd routes --open-api` flag generates a service profile based
7463 on an OpenAPI specification (swagger) file
7464* Web UI
7465 * **New** Top routes page, served at `/routes`
7466 * **New** Route metrics are now available in the resource detail pages for
7467 services with configured profiles
7468 * **New** Service profiles can be created and downloaded from the Web UI
7469* Controller
7470 * **Improved** Controller components are now prefixed with `linkerd-` to
7471 prevent name collisions with existing resources
7472 * **New** `linkerd install --disable-h2-upgrade` flag has been added to
7473 control automatic HTTP/2 upgrading
7474* Proxy
7475 * **Improved** The proxy's `tap` subsystem has been reimplemented to be more
7476 efficient and and reliable
7477 * The proxy now supports route metadata in tap queries and events
7478 * **Fixed** A potential HTTP/2 window starvation bug has been fixed
7479 * **Fixed** Prometheus counters now wrap properly for values greater than
7480 2^53 (thanks, @lucab!)
7481
7482## edge-18.11.3
7483
7484* CLI
7485 * **New** `linkerd routes` command displays per-route stats for services
7486 with service profiles
7487 * **Experimental** Add `--ha` flag to `linkerd install` command, for HA
7488 deployment of the control plane (thanks @benjdlambert!)
7489* Web UI
7490 * **Experimental** Top Routes page, served at `/routes`
7491* Controller
7492 * **Fixed** Fix auto injection issue on Kubernetes `v1.9.11` that would
7493 merge, rather than append, the proxy container into the application
7494* Proxy
7495 * **Improved** Add controller client metrics, scoped under `control_`
7496 * **Improved** Canonicalize outbound names via DNS for inbound profiles
7497
7498## edge-18.11.2
7499
7500* CLI
7501 * **Improved** Update stat command to accept multiple stat targets
7502 * **Fixed** Fix authority stat filtering when the `--from` flag is present
7503 * Various improvements to check command, including:
7504 * Emit warnings instead of errors when not running the latest version
7505 * Add retries if control plane health check fails initially
7506 * Run all pre-install RBAC checks, instead of stopping at first failure
7507* Proxy / Proxy-Init
7508 * **Fixed** Fix routing issue when a pod makes a request to itself (#1585)
7509 * Only include `classification` label on `response_total` metric
7510
7511## edge-18.11.1
7512
7513* Proxy
7514 * **Fixed** Remove panic when failing to get remote address
7515 * **Improved** Better logging in TCP connect error messages
7516* Web UI
7517 * **Improved** Fixed a smattering of small UI issues
7518
7519## edge-18.10.4
7520
7521This release includes a major redesign of the web frontend to make use of the
7522Material design system. Additional features that leverage the new design are
7523coming soon! This release also includes the following changes:
7524
7525* CLI
7526 * **Fixed** Fixed an issue with the `--registry` install flag not accepting
7527 hosts with ports (thanks, @alenkacz!)
7528* Web UI
7529 * **New** Added a new Grafana dashboard for authorities (thanks, @alpeb!)
7530 * **New** Revamped look and feel of the Linkerd dashboard by switching
7531 component libraries from antd to material-ui
7532
7533## edge-18.10.3
7534
7535* CLI
7536 * **New** Added an `--output` stat flag, for printing stats as JSON
7537 * **Improved** Updated the `top` table to set column widths dynamically
7538 * **Experimental** Added a `--single-namespace` install flag for installing
7539 the control plane with Role permissions instead of ClusterRole permissions
7540* Controller
7541 * Fixed a few issues with auto injection via the proxy-injector webhook:
7542 * Injected pods now execute the linkerd-init container last, to avoid
7543 rerouting requests during pod init
7544 * Original pod labels and annotations are preserved when auto-injecting
7545* Web UI
7546 * **New** Added a Help section in the sidebar containing useful links
7547
7548## edge-18.10.2
7549
7550This release brings major improvements to the CLI as described below,
7551including support for auto-injecting deployments via a Kubernetes Admission
7552Controller. Proxy auto-injection is **experimental**, and the implementation
7553may change going forward.
7554
7555* CLI
7556 * **New** Added a `--proxy-auto-inject` flag to the `install` command,
7557 allowing for auto-injection of sidecar containers (Thanks @ihcsim!)
7558 * **Improved** Added `--proxy-cpu` and `--proxy-memory` flags to the
7559 `install` and `inject` commands, giving the ability to configure CPU +
7560 Memory requests (Thanks @benjdlambert!)
7561 * **Improved** Added a `--context` flag to specify the context to use to
7562 talk to the Kubernetes apiserver (Thanks @ffd2subroutine!)
7563
7564## edge-18.10.1
7565
7566* Web UI
7567 * **Improved** Tap and Top pages
7568 * Added clear button to query form
7569 * **Improved** Resource Detail pages
7570 * Limit number of resources shown in the graph
7571* Controller
7572 * CLI health check now uses unified endpoint for data plane checks
7573 * Include Licence files in all Docker images
7574
7575Special thanks to @alenkacz for contributing to this release!
7576
7577## edge-18.9.3
7578
7579* Web UI
7580 * **Improved** Resource Detail page
7581 * Better rendering of the dependency graph at the top of the page
7582 * Unmeshed sources are now populated in the Inbound traffic table
7583 * Sources and destinations are aligned in the popover
7584 * **Improved** Tap and Top pages
7585 * Additional validation and polish for the form controls
7586 * The top table clears older results when a new top call is started
7587 * The top table now aggregates by HTTP method as well
7588* CLI
7589 * **New** The namespace in which Linkerd is installed is configurable via
7590 the `LINKERD_NAMESPACE` env var, in addition to the `--linkerd-namespace`
7591 flag
7592 * **New** The wait time for the `check` and `dashboard` commands is
7593 configurable via the `--wait` flag
7594 * **Improved** The `top` command now aggregates by HTTP method as well
7595
7596Special thanks to @rochacon, @fahrradflucht and @alenkacz for contributing to
7597this release!
7598
7599## stable-2.0.0
7600
7601## edge-18.9.2
7602
7603* **New** _edge_ and _stable_ release channels
7604* Web UI
7605 * **Improved** Tap & Top UIs with better layout and linking
7606* CLI
7607 * **Improved** `check --pre` command verifies the caller has sufficient
7608 permissions to install Linkerd
7609 * **Improved** `check` command verifies that Prometheus has data for proxied
7610 pods
7611* Proxy
7612 * **Fix** `hyper` crate dependency corrects HTTP/1.0 Keep-Alive behavior
7613
7614## v18.9.1
7615
7616* Web UI
7617 * **New** Default landing page provides namespace overview with expandable
7618 sections
7619 * **New** Breadcrumb navigation at the top of the dashboard
7620 * **Improved** Tap and Top pages
7621 * Table rendering performance improvements via throttling
7622 * Tables now link to resource detail pages
7623 * Tap an entire namespace when no resource is specified
7624 * Tap websocket errors provide more descriptive text
7625 * Consolidated source and destination columns
7626 * Misc ui updates
7627 * Metrics tables now include a small success rate chart
7628 * Improved latency formatting for seconds latencies
7629 * Renamed upstream/downstream to inbound/outbound
7630 * Sidebar scrolls independently from main panel, scrollbars hidden when
7631 not needed
7632 * Removed social links from sidebar
7633* CLI
7634 * **New** `linkerd check` now validates Linkerd proxy versions and readiness
7635 * **New** `linkerd inject` now provides an injection status report, and
7636 warns when resources are not injectable
7637 * **New** `linkerd top` now has a `--hide-sources` flag, to hide the source
7638 column and collapse top results accordingly
7639* Control Plane
7640 * Updated Prometheus to v2.4.0, Grafana to 5.2.4
7641
7642## v18.8.4
7643
7644* Web UI
7645 * **Improved** Tap and Top now have a better sampling rate
7646 * **Fixed** Missing sidebar headings now appear
7647
7648## v18.8.3
7649
7650* Web UI
7651 * **Improved** Kubernetes resource navigation in the sidebar
7652 * **Improved** resource detail pages:
7653 * **New** live request view
7654 * **New** success rate graphs
7655* CLI
7656 * `tap` and `top` have been improved to sample up to 100 RPS
7657* Control plane
7658 * Injected proxy containers now have readiness and liveness probes enabled
7659
7660Special thanks to @sourishkrout for contributing a web readability fix!
7661
7662## v18.8.2
7663
7664* CLI
7665 * **New** `linkerd top` command has been added, displays live traffic stats
7666 * `linkerd check` has been updated with additional checks, now supports a
7667 `--pre` flag for running pre-install checks
7668 * `linkerd check` and `linkerd dashboard` now support a `--wait` flag that
7669 tells the CLI to wait for the control plane to become ready
7670 * `linkerd tap` now supports a `--output` flag to display output in a wide
7671 format that includes src and dst resources and namespaces
7672 * `linkerd stat` includes additional validation for command line inputs
7673 * All commands that talk to the Linkerd API now show better error messages
7674 when the control plane is unavailable
7675* Web UI
7676 * **New** individual resources can now be viewed on a resource detail page,
7677 which includes stats for the resource itself and its nearest neighbors
7678 * **Experimental** web-based Top interface accessible at `/top`, aggregates
7679 tap data in real time to display live traffic stats
7680 * The `/tap` page has multiple improvements, including displaying additional
7681 src/dst metadata, improved form controls, and better latency formatting
7682 * All resource tables have been updated to display meshed pod counts, as
7683 well as an icon linking to the resource's Grafana dashboard if it is
7684 meshed
7685 * The UI now shows more useful information when server errors are
7686 encountered
7687* Proxy
7688 * The `h2` crate fixed a HTTP/2 window management bug
7689 * The `rustls` crate fixed a bug that could improperly fail TLS streams
7690* Control Plane
7691 * The tap server now hydrates metadata for both sources and destinations
7692
7693## v18.8.1
7694
7695* Web UI
7696 * **New** Tap UI makes it possible to query & inspect requests from the
7697 browser!
7698* Proxy
7699 * **New** Automatic, transparent HTTP/2 multiplexing of HTTP/1 traffic
7700 reduces the cost of short-lived HTTP/1 connections
7701* Control Plane
7702 * **Improved** `linkerd inject` now supports injecting all resources in a
7703 folder
7704 * **Fixed** `linkerd tap` no longer crashes when there are many pods
7705 * **New** Prometheus now only scrapes proxies belonging to its own linkerd
7706 install
7707 * **Fixed** Prometheus metrics collection for clusters with >100 pods
7708
7709Special thanks to @ihcsim for contributing the `inject` improvement!
7710
7711## v18.7.3
7712
7713Linkerd2 v18.7.3 completes the rebranding from Conduit to Linkerd2, and
7714improves overall performance and stability.
7715
7716* Proxy
7717 * **Improved** CPU utilization by ~20%
7718* Web UI
7719 * **Experimental** `/tap` page now supports additional filters
7720* Control Plane
7721 * Updated all k8s.io dependencies to 1.11.1
7722
7723## v18.7.2
7724
7725Linkerd2 v18.7.2 introduces new stability features as we work toward
7726production readiness.
7727
7728* Control Plane
7729 * **Breaking change** Injected pod labels have been renamed to be more
7730 consistent with Kubernetes; previously injected pods must be re-injected
7731 with new version of linkerd CLI in order to work with updated control
7732 plane
7733 * The "ca-bundle-distributor" deployment has been renamed to "ca"
7734* Proxy
7735 * **Fixed** HTTP/1.1 connections were not properly reused, leading to
7736 elevated latencies and CPU load
7737 * **Fixed** The `process_cpu_seconds_total` was calculated incorrectly
7738* Web UI
7739 * **New** per-namespace application topology graph
7740 * **Experimental** web-based Tap interface accessible at `/tap`
7741 * Updated favicon to the Linkerd logo
7742
7743## v18.7.1
7744
7745Linkerd2 v18.7.1 is the first release of the Linkerd2 project, which was
7746formerly hosted at github.com/runconduit/conduit.
7747
7748* Packaging
7749 * Introduce new date-based versioning scheme, `vYY.M.n`
7750 * Move all Docker images to `gcr.io/linkerd-io` repo
7751* User Interface
7752 * Update branding to reference Linkerd throughout
7753 * The CLI is now called `linkerd`
7754* Production Readiness
7755 * Fix issue with destination service sending back incomplete pod metadata
7756 * Fix high CPU usage during proxy shutdown
7757 * ClusterRoles are now unique per Linkerd install, allowing multiple
7758 instances to be installed in the same Kubernetes cluster
7759
7760## v0.5.0
7761
7762Conduit v0.5.0 introduces a new, experimental feature that automatically
7763enables Transport Layer Security between Conduit proxies to secure application
7764traffic. It also adds support for HTTP protocol upgrades, so applications that
7765use WebSockets can now benefit from Conduit.
7766
7767* Security
7768 * **New** `conduit install --tls=optional` enables automatic, opportunistic
7769 TLS. See [the docs][auto-tls] for more info.
7770* Production Readiness
7771 * The proxy now transparently supports HTTP protocol upgrades to support,
7772 for instance, WebSockets.
7773 * The proxy now seamlessly forwards HTTP `CONNECT` streams.
7774 * Controller services are now configured with liveness and readiness probes.
7775* User Interface
7776 * `conduit stat` now supports a virtual `authority` resource that aggregates
7777 traffic by the `:authority` (or `Host`) header of an HTTP request.
7778 * `dashboard`, `stat`, and `tap` have been updated to describe TLS state for
7779 traffic.
7780 * `conduit tap` now has more detailed information, including the direction
7781 of each message (outbound or inbound).
7782 * `conduit stat` now more-accurately records histograms for low-latency
7783 services.
7784 * `conduit dashboard` now includes error messages when a Conduit-enabled pod
7785 fails.
7786* Internals
7787 * Prometheus has been upgraded to v2.3.1.
7788 * A potential live-lock has been fixed in HTTP/2 servers.
7789 * `conduit tap` could crash due to a null-pointer access. This has been
7790 fixed.
7791
7792[auto-tls]: docs/automatic-tls.md
7793
7794## v0.4.4
7795
7796Conduit v0.4.4 continues to improve production suitability and sets up
7797internals for the upcoming v0.5.0 release.
7798
7799* Production Readiness
7800 * The destination service has been mostly-rewritten to improve safety and
7801 correctness, especially during controller initialization.
7802 * Readiness and Liveness checks have been added for some controller
7803 components.
7804 * RBAC settings have been expanded so that Prometheus can access node-level
7805 metrics.
7806* User Interface
7807 * Ad blockers like uBlock prevented the Conduit dashboard from fetching API
7808 data. This has been fixed.
7809 * The UI now highlights pods that have failed to start a proxy.
7810* Internals
7811 * Various dependency upgrades, including Rust 1.26.2.
7812 * TLS testing continues to bear fruit, precipitating stability improvements
7813 to dependencies like Rustls.
7814
7815Special thanks to @alenkacz for improving docker build times!
7816
7817## v0.4.3
7818
7819Conduit v0.4.3 continues progress towards production readiness. It features a
7820new latency-aware load balancer.
7821
7822* Production Readiness
7823 * The proxy now uses a latency-aware load balancer for outbound requests.
7824 This implementation is based on Finagle's Peak-EWMA balancer, which has
7825 been proven to significantly reduce tail latencies. This is the same load
7826 balancing strategy used by Linkerd.
7827* User Interface
7828 * `conduit stat` is now slightly more predictable in the way it outputs
7829 things, especially for commands like `watch conduit stat all
7830 --all-namespaces`.
7831 * Failed and completed pods are no longer shown in stat summary results.
7832* Internals
7833 * The proxy now supports some TLS configuration, though these features
7834 remain disabled and undocumented pending further testing and
7835 instrumentation.
7836
7837Special thanks to @ihcsim for contributing his first PR to the project and to
7838@roanta for discussing the Peak-EWMA load balancing algorithm with us.
7839
7840## v0.4.2
7841
7842Conduit v0.4.2 is a major step towards production readiness. It features a
7843wide array of fixes and improvements for long-running proxies, and several new
7844telemetry features. It also lays the groundwork for upcoming releases that
7845introduce mutual TLS everywhere.
7846
7847* Production Readiness
7848 * The proxy now drops metrics that do not update for 10 minutes, preventing
7849 unbounded memory growth for long-running processes.
7850 * The proxy now constrains the number of services that a node can route to
7851 simultaneously (default: 100). This protects long-running proxies from
7852 consuming unbounded resources by tearing down the longest-idle clients
7853 when the capacity is reached.
7854 * The proxy now properly honors HTTP/2 request cancellation.
7855 * The proxy could incorrectly handle requests in the face of some connection
7856 errors. This has been fixed.
7857 * The proxy now honors DNS TTLs.
7858 * `conduit inject` now works with `statefulset` resources.
7859* Telemetry
7860 * **New** `conduit stat` now supports the `all` Kubernetes resource, which
7861 shows traffic stats for all Kubernetes resources in a namespace.
7862 * **New** the Conduit web UI has been reorganized to provide namespace
7863 overviews.
7864 * **Fix** a bug in Tap that prevented the proxy from simultaneously
7865 satisfying more than one Tap request.
7866 * **Fix** a bug that could prevent stats from being reported for some TCP
7867 streams in failure conditions.
7868 * The proxy now measures response latency as time-to-first-byte.
7869* Internals
7870 * The proxy now supports user-friendly time values (e.g. `10s`) from
7871 environment configuration.
7872 * The control plane now uses client for Kubernetes 1.10.2.
7873 * Much richer proxy debug logging, including socket and stream metadata.
7874 * The proxy internals have been changed substantially in preparation for TLS
7875 support.
7876
7877Special thanks to @carllhw, @kichristensen, & @sfroment for contributing to
7878this release!
7879
7880### Upgrading from v0.4.1
7881
7882When upgrading from v0.4.1, we suggest that the control plane be upgraded to
7883v0.4.2 before injecting application pods to use v0.4.2 proxies.
7884
7885## v0.4.1
7886
7887Conduit 0.4.1 builds on the telemetry work from 0.4.0, providing rich,
7888Kubernetes-aware observability and debugging.
7889
7890* Web UI
7891 * **New** Automatically-configured Grafana dashboards for Services, Pods,
7892 ReplicationControllers, and Conduit mesh health.
7893 * **New** `conduit dashboard` Pod and ReplicationController views.
7894* Command-line interface
7895 * **Breaking change** `conduit tap` now operates on most Kubernetes
7896 resources.
7897 * `conduit stat` and `conduit tap` now both support kubectl-style resource
7898 strings (`deploy`, `deploy/web`, and `deploy web`), specifically:
7899 * `namespaces`
7900 * `deployments`
7901 * `replicationcontrollers`
7902 * `services`
7903 * `pods`
7904* Telemetry
7905 * **New** Tap support for filtering by and exporting destination metadata.
7906 Now you can sample requests from A to B, where A and B are any resource or
7907 group of resources.
7908 * **New** TCP-level stats, including connection counts and durations, and
7909 throughput, wired through to Grafana dashboards.
7910* Service Discovery
7911 * The proxy now uses the [trust-dns] DNS resolver. This fixes a number of
7912 DNS correctness issues.
7913 * The destination service could sometimes return incorrect, stale, labels
7914 for an endpoint. This has been fixed!
7915
7916[trust-dns]: https://github.com/bluejekyll/trust-dns
7917
7918## v0.4.0
7919
7920Conduit 0.4.0 overhauls Conduit's telemetry system and improves service
7921discovery reliability.
7922
7923* Web UI
7924 * **New** automatically-configured Grafana dashboards for all Deployments.
7925* Command-line interface
7926 * `conduit stat` has been completely rewritten to accept arguments like
7927 `kubectl get`. The `--to` and `--from` filters can be used to filter
7928 traffic by destination and source, respectively. `conduit stat` currently
7929 can operate on `Namespace` and `Deployment` Kubernetes resources. More
7930 resource types will be added in the next release!
7931* Proxy (data plane)
7932 * **New** Prometheus-formatted metrics are now exposed on `:4191/metrics`,
7933 including rich destination labeling for outbound HTTP requests. The proxy
7934 no longer pushes metrics to the control plane.
7935 * The proxy now handles `SIGINT` or `SIGTERM`, gracefully draining requests
7936 until all are complete or `SIGQUIT` is received.
7937 * SMTP and MySQL (ports 25 and 3306) are now treated as opaque TCP by
7938 default. You should no longer have to specify `--skip-outbound-ports` to
7939 communicate with such services.
7940 * When the proxy reconnected to the controller, it could continue to send
7941 requests to old endpoints. Now, when the proxy reconnects to the
7942 controller, it properly removes invalid endpoints.
7943 * A bug impacting some HTTP/2 reset scenarios has been fixed.
7944* Service Discovery
7945 * Previously, the proxy failed to resolve some domain names that could be
7946 misinterpreted as a Kubernetes Service name. This has been fixed by
7947 extending the _Destination_ API with a negative acknowledgement response.
7948* Control Plane
7949 * The _Telemetry_ service and associated APIs have been removed.
7950* Documentation
7951 * Updated [Roadmap](doc/roadmap.md)
7952
7953Special thanks to @ahume, @alenkacz, & @xiaods for contributing to this
7954release!
7955
7956### Upgrading from v0.3.1
7957
7958When upgrading from v0.3.1, it's important to upgrade proxies before upgrading
7959the controller. As you upgrade proxies, the controller will lose visibility
7960into some data plane stats. Once all proxies are updated, `conduit install
7961|kubectl apply -f -` can be run to upgrade the controller without causing any
7962data plane disruptions. Once the controller has been restarted, traffic stats
7963should become available.
7964
7965## v0.3.1
7966
7967Conduit 0.3.1 improves Conduit's resilience and transparency.
7968
7969* Proxy (data plane)
7970 * The proxy now makes fewer changes to requests and responses being proxied.
7971 In particular, requests and responses without bodies or with empty bodies
7972 are better supported.
7973 * HTTP/1 requests with different `Host` header fields are no longer sent on
7974 the same HTTP/1 connection even when those hostnames resolve to the same
7975 IP address.
7976 * A connection leak during proxying of non-HTTP TCP connections was fixed.
7977 * The proxy now handles unavailable services more gracefully by timing out
7978 while waiting for an endpoint to become available for the service.
7979* Command-line interface
7980 * `$KUBECONFIG` with multiple paths is now supported. (PR #482 by
7981 @hypnoglow).
7982 * `conduit check` now checks for the availability of a Conduit update. (PR
7983 #460 by @ahume).
7984* Service Discovery
7985 * Kubernetes services with type `ExternalName` are now supported.
7986* Control Plane
7987 * The proxy is injected into the control plane during installation to
7988 improve the control plane's resilience and to "dogfood" the proxy.
7989 * The control plane is now more resilient regarding networking failures.
7990* Documentation
7991 * The markdown source for the documentation published at
7992 <https://conduit.io/docs/> is now open source at
7993 <https://github.com/runconduit/conduit/tree/master/doc.>
7994
7995## v0.3.0
7996
7997Conduit 0.3 focused heavily on production hardening of Conduit's telemetry
7998system. Conduit 0.3 should "just work" for most apps on Kubernetes 1.8 or 1.9
7999without configuration, and should support Kubernetes clusters with hundreds of
8000services, thousands of instances, and hundreds of RPS per instance.
8001
8002With this release, Conduit also moves from _experimental_ to _alpha_---meaning
8003that we're ready for some serious testing and vetting from you. As part of
8004this, we've published the [Conduit roadmap](https://conduit.io/roadmap/), and
8005we've also launched some new mailing lists:
8006[conduit-users](https://groups.google.com/forum/#!forum/conduit-users),
8007[conduit-dev](https://groups.google.com/forum/#!forum/conduit-dev), and
8008[conduit-announce](https://groups.google.com/forum/#!forum/conduit-announce).
8009
8010* CLI
8011 * CLI commands no longer depend on `kubectl`
8012 * `conduit dashboard` now runs on an ephemeral port, removing port 8001
8013 conflicts
8014 * `conduit inject` now skips pods with `hostNetwork=true`
8015 * CLI commands now have friendlier error messages, and support a `--verbose`
8016 flag for debugging
8017* Web UI
8018 * All displayed metrics are now instantaneous snapshots rather than
8019 aggregated over 10 minutes
8020 * The sidebar can now be collapsed
8021 * UX refinements and bug fixes
8022* Conduit proxy (data plane)
8023 * Proxy does load-aware (P2C + least-loaded) L7 balancing for HTTP
8024 * Proxy can now route to external DNS names
8025 * Proxy now properly sheds load in some pathological cases when it cannot
8026 route
8027* Telemetry system
8028 * Many optimizations and refinements to support scale goals
8029 * Per-path and per-pod metrics have been removed temporarily to improve
8030 scalability and stability; they will be reintroduced in Conduit 0.4 (#405)
8031* Build improvements
8032 * The Conduit docker images are now much smaller.
8033 * Dockerfiles have been changed to leverage caching, improving build times
8034 substantially
8035
8036Known Issues:
8037
8038* Some DNS lookups to external domains fail (#62, #155, #392)
8039* Applications that use WebSockets, HTTP tunneling/proxying, or protocols such
8040 as MySQL and SMTP, require additional configuration (#339)
8041
8042## v0.2.0
8043
8044This is a big milestone! With this release, Conduit adds support for HTTP/1.x
8045and raw TCP traffic, meaning it should "just work" for most applications that
8046are running on Kubernetes without additional configuration.
8047
8048* Data plane
8049 * Conduit now transparently proxies all TCP traffic, including HTTP/1.x and
8050 HTTP/2. (See caveats below.)
8051* Command-line interface
8052 * Improved error handling for the `tap` command
8053 * `tap` also now works with HTTP/1.x traffic
8054* Dashboard
8055 * Minor UI appearance tweaks
8056 * Deployments now searchable from the dashboard sidebar
8057
8058Caveats:
8059
8060* Conduit will automatically work for most protocols. However, applications
8061 that use WebSockets, HTTP tunneling/proxying, or protocols such as MySQL and
8062 SMTP, will require some additional configuration. See the
8063 [documentation](https://conduit.io/adding-your-service/#protocol-support)
8064 for details.
8065* Conduit doesn't yet support external DNS lookups. These will be addressed in
8066 an upcoming release.
8067* There are known issues with Conduit's telemetry pipeline that prevent it
8068 from scaling beyond a few nodes. These will be addressed in an upcoming
8069 release.
8070* Conduit is still in alpha! Please help us by [filing issues and contributing
8071 pull requests](https://github.com/runconduit/conduit/issues/new).
8072
8073## v0.1.3
8074
8075* This is a minor bugfix for some web dashboard UI elements that were not
8076 rendering correctly.
8077
8078## v0.1.2
8079
8080Conduit 0.1.2 continues down the path of increasing usability and improving
8081debugging and introspection of the service mesh itself.
8082
8083* Conduit CLI
8084 * New `conduit check` command reports on the health of your Conduit
8085 installation.
8086 * New `conduit completion` command provides shell completion.
8087* Dashboard
8088 * Added per-path metrics to the deployment detail pages.
8089 * Added animations to line graphs indicating server activity.
8090 * More descriptive CSS variable names. (Thanks @natemurthy!)
8091 * A variety of other minor UI bugfixes and improvements
8092* Fixes
8093 * Fixed Prometheus config when using RBAC. (Thanks @FaKod!)
8094 * Fixed `tap` failure when pods do not belong to a deployment. (Thanks
8095 @FaKod!)
8096
8097## v0.1.1
8098
8099Conduit 0.1.1 is focused on making it easier to get started with Conduit.
8100
8101* Conduit can now be installed on Kubernetes clusters that use RBAC.
8102* The `conduit inject` command now supports a `--skip-outbound-ports` flag
8103 that directs Conduit to bypass proxying for specific outbound ports, making
8104 Conduit easier to use with non-gRPC or HTTP/2 protocols.
8105* The `conduit tap` command output has been reformatted to be line-oriented,
8106 making it easier to parse with common UNIX command line utilities.
8107* Conduit now supports routing of non-fully qualified domain names.
8108* The web UI has improved support for large deployments and deployments that
8109 don't have any inbound/outbound traffic.
8110
8111## v0.1.0
8112
8113Conduit 0.1.0 is the first public release of Conduit.
8114
8115* This release supports services that communicate via gRPC only. non-gRPC
8116 HTTP/2 services should work. More complete HTTP support, including HTTP/1.0
8117 and HTTP/1.1 and non-gRPC HTTP/2, will be added in an upcoming release.
8118* Kubernetes 1.8.0 or later is required.
8119* kubectl 1.8.0 or later is required. `conduit dashboard` will not work with
8120 earlier versions of kubectl.
8121* When deploying to Minikube, Minikube 0.23 or 0.24.1 or later are required.
8122 Earlier versions will not work.
8123* This release has been tested using Google Kubernetes Engine and Minikube.
8124 Upcoming releases will be tested on additional providers too.
8125* Configuration settings and protocols are not stable yet.
8126* Services written in Go must use grpc-go 1.3 or later to avoid [grpc-go bug
8127 #1120](https://github.com/grpc/grpc-go/issues/1120).
View as plain text