From 828e3e3073850d9f63076979024e8f52b1a48135 Mon Sep 17 00:00:00 2001 From: Kevin Leimkuhler Date: Thu, 7 Jan 2021 17:05:36 -0500 Subject: [PATCH] Add changes for edge-21.1.1 (#5492) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## edge-20.12.4 This edge release adds support for the `config.linkerd.io/opaque-ports` annotation on pods and namespaces, to configure ports that should skip the proxy's protocol detection. In addition, it adds new CLI commands related to the `linkerd-jaeger` extension, fixes bugs in the CLI `install` and `upgrade` commands and Helm charts, and fixes a potential false positive in the proxy's HTTP protocol detection. Finally, it includes improvements in proxy performance and memory usage, including an upgrade for the proxy's dependency on the Tokio async runtime. * Added support for the `config.linkerd.io/opaque-ports` annotation on pods and namespaces, to indicate to the proxy that some ports should skip protocol detection * Fixed an issue where `linkerd install --ha` failed to honor flags * Fixed an issue where `linkerd upgrade --ha` can override existing configs * Added missing label to the `linkerd-config-overrides` secret to avoid breaking upgrades performed with the help of `kubectl apply --prune` * Added a missing icon to Jaeger Helm chart * Added new `linkerd jaeger check` CLI command to validate that the `linkerd-jaeger` extension is working correctly * Added new `linkerd jaeger uninstall` CLI command to print the `linkerd-jaeger` extension's resources so that they can be piped into `kubectl delete` * Fixed an issue where the `linkerd-cni` daemgitonset may not be installed on all intended nodes, due to missing tolerations to the `linkerd-cni` Helm chart (thanks @rish-onesignal!) * Fixed an issue where the `tap` APIServer would not refresh its certs automatically when provided externally—like through cert-manager * Changed the proxy's cache eviction strategy to reduce memory consumption, especially for busy HTTP/1.1 clients * Fixed an issue in the proxy's HTTP protocol detection which could cause false positives for non-HTTP traffic * Increased the proxy's default dispatch timeout to 5 seconds to accomodate connection pools which might open conenctions without immediately making a request * Updated the proxy's Tokio dependency to v0.3 Signed-off-by: Kevin Leimkuhler --- CHANGES.md | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 0ed0c0a25..1a3f204cc 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,6 +1,60 @@ # Changes +## edge-21.1.1 + +This edge release introduces a new "opaque transport" feature that allows the +proxy to securely transport server-speaks-first and otherwise opaque TCP +traffic. Using the `config.linkerd.io/opaque-ports` annotation on pods and +namespaces, users can configure ports that should skip the proxy's protocol +detection. + +Additionally, a new `linkerd-viz` extension has been introduced that separates +the installation of the Grafana, Prometheus, web, and tap components. This +extension closely follows the Jaeger and multicluster extensions; users can +`install` and `uninstall` with the `linkerd viz ..` command as well as configure +for HA with the `--ha` flag. + +The `linkerd viz install` command does not have any cli flags to customize the +install directly, but instead follows the Helm way of customization by using +flags such as `set`, `set-string`, `values`, `set-files`. + +Finally, a new `/shutdown` admin endpoint that may only be accessed over the +loopback network has been added. This allows batch jobs to gracefully terminate +the proxy on completion. The `linkerd-await` utility can be used to automate +this. + +* Added a new `linkerd multicluster check` command to validate that the + `linkerd-multicluster` extension is working correctly +* Fixed description in the `linkerd edges` command (thanks @jsoref!) +* Moved the Grafana, Prometheus, web, and tap components into a new Viz chart, + following the same extension model that multicluster and Jaeger follow +* Introduced a new "opaque transport" feature that allows the proxy to securely + transport server-speaks-first and otherwise opaque TCP traffic +* Removed the check comparing the `ca.crt` field in the identity issuer secret + and the trust anchors in the Linkerd config; these values being different is + not a failure case for the `linkerd check` command (thanks @cypherfox!) +* Removed the Prometheus check from the `linkerd check` command since it now + depends on a component that is installed with the Viz extension +* Fixed error messages thrown by the cert checks in `linkerd check` (thanks + @pradeepnnv!) +* Added PodDisruptionBudgets to the control plane components so that they cannot + be all terminated at the same time during disruptions (thanks @tustvold!) +* Fixed an issue that displayed the wrong `linkerd.io/proxy-version` when it is + overridden by annotations (thanks @mateiidavid!) +* Added support for custom registries in the `linkerd-viz` helm chart (thanks + @jimil749!) +* Renamed `proxy-mutator` to `jaeger-injector` in the `linkerd-jaeger` extension +* Added a new `/shutdown` admin endpoint that may only be accessed over the + loopback network allowing batch jobs to gracefully terminate the proxy on + completion +* Introduced the `linkerd identity` command, used to fetch the TLS certificates + for injected pods (thanks @jimil749) +* Fixed an issue with the CNI plugin where it was incorrectly terminating and + emitting error events (thanks @mhulscher!) +* Re-added support for non-LoadBalancer service types in the + `linkerd-multicluster` extension + ## edge-20.12.4 This edge release adds support for the `config.linkerd.io/opaque-ports`