linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add release notes for stable-2.4.0 (#3032) 

## stable-2.4.0

This release adds traffic splitting functionality, support for the Kubernetes
Service Mesh Interface (SMI), graduates high-availability support out of
experimental status, and adds a tremendous list of other improvements,
performance enhancements, and bug fixes.

Linkerd's new traffic splitting feature allows users to dynamically control the
percentage of traffic destined for a service. This powerful feature can be used
to implement rollout strategies like canary releases and blue-green deploys.
Support for the [Service Mesh Interface](https://smi-spec.io) (SMI) makes it
easier for ecosystem tools to work across all service mesh implementations.

Along with the introduction of optional install stages via the `linkerd install
config` and `linkerd install control-plane` commands, the default behavior of
the `linkerd inject` command only adds annotations and defers injection to the
always-installed proxy injector component.

Finally, there have been many performance and usability improvements to the
proxy and UI, as well as production-ready features including: 
* A new `linkerd edges` command that provides fine-grained observability into
  the TLS-based identity system
* A `--enable-debug-sidecar` flag for the `linkerd inject` command that improves
  debugging efforts

Linkerd recently passed a CNCF-sponsored security audit! Check out the in-depth
report [here](https://github.com/linkerd/linkerd2/blob/master/SECURITY_AUDIT.pdf).

To install this release, run: `curl https://run.linkerd.io/install | sh`

**Upgrade notes**: Use the `linkerd upgrade` command to upgrade the control
plane. This command ensures that all existing control plane's configuration and
mTLS secrets are retained. For more details, please see the [upgrade
instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-4-0) for more details.

**Special thanks to**: @alenkacz, @codeman9, @dwj300, @jackprice, @liquidslr
@matej-g, @Pothulapati, @zaharidichev, 

**Full release notes**:

* CLI
  * **Breaking Change** Removed the `--proxy-auto-inject` flag, as the proxy
    injector is now always installed
  * **Breaking Change** Replaced the `--linkerd-version` flag with the
    `--proxy-version` flag in the `linkerd install` and `linkerd upgrade`
    commands, which allows setting the version for the injected proxy sidecar
    image, without changing the image versions for the control plane
  * Introduced install stages: `linkerd install config` and `linkerd install
    control-plane`
  * Introduced upgrade stages: `linkerd upgrade config` and `linkerd upgrade
    control-plane`
  * Introduced a new `--from-manifests` flag to `linkerd upgrade` allowing
    manually feeding a previously saved output of `linkerd install` into the
    command, instead of requiring a connection to the cluster to fetch the
    config
  * Introduced a new `--manual` flag to `linkerd inject` to output the proxy
    sidecar container spec
  * Introduced a new `--enable-debug-sidecar` flag to `linkerd inject`, that
    injects a debug sidecar to inspect traffic to and from the meshed pod
  * Added a new check for unschedulable pods and PSP issues (thanks,
    @liquidslr!)
  * Disabled the spinner in `linkerd check` when running without a TTY
  * Ensured the ServiceAccount for the proxy injector is created before its
    Deployment to avoid warnings when installing the proxy injector (thanks,
    @dwj300!)
  * Added a `linkerd check config` command for verifying that `linkerd install
    config` was successful
  * Improved the help documentation of `linkerd install` to clarify flag usage
  * Added support for private Kubernetes clusters by changing the CLI to connect
    to the control plane using a port-forward (thanks, @jackprice!)
  * Fixed `linkerd check` and `linkerd dashboard` failing when any control plane
    pod is not ready, even when multiple replicas exist (as in HA mode)
  * **New** Added a `linkerd edges` command that shows the source and
    destination name and identity for proxied connections, to assist in
    debugging
  * Tap can now be disabled for specific pods during injection by using the
    `--disable-tap` flag, or by using the `config.linkerd.io/disable-tap`
    annotation
  * Introduced pre-install healthcheck for clock skew (thanks, @matej-g!)
  * Added a JSON option to the `linkerd edges` command so that output is
    scripting friendly and can be parsed easily (thanks @alenkacz!)
  * Fixed an issue when Linkerd is installed with `--ha`, running `linkerd
    upgrade` without `--ha` will disable the high availability control plane
  * Fixed an issue with `linkerd upgrade` where running without `--ha` would
    unintentionally disable high availability features if they were previously
    enabled
  * Added a `--init-image-version` flag to `linkerd inject` to override the
    injected proxy-init container version
  * Added the `--linkerd-cni-enabled` flag to the `install` subcommands so that
    `NET_ADMIN` capability is omitted from the CNI-enabled control plane's PSP
  * Updated `linkerd check` to validate the caller can create
    `PodSecurityPolicy` resources
  * Added a check to `linkerd install` to prevent installing multiple control
    planes into different namespaces avoid conflicts between global resources
  * Added support for passing a URL directly to `linkerd inject` (thanks
    @Pothulapati!)
  * Added more descriptive output to the `linkerd check` output for control
    plane ReplicaSet readiness
  * Refactored the `linkerd endpoints` to use the same interface as used by the
    proxy for service discovery information
  * Fixed a bug where `linkerd inject` would fail when given a path to a file
    outside the current directory
  * Graduated high-availability support out of experimental status
  * Modified the error message for `linkerd install` to provide instructions for
    proceeding when an existing installation is found
* Controller
  * Added Go pprof HTTP endpoints to all control plane components' admin servers
    to better assist debugging efforts
  * Fixed bug in the proxy injector, where sporadically the pod workload owner
    wasn't properly determined, which would result in erroneous stats
  * Added support for a new `config.linkerd.io/disable-identity` annotation to
    opt out of identity for a specific pod
  * Fixed pod creation failure when a `ResourceQuota` exists by adding a default
    resource spec for the proxy-init init container
  * Fixed control plane components failing on startup when the Kubernetes API
    returns an `ErrGroupDiscoveryFailed`
  * Added Controller Component Labels to the webhook config resources (thanks,
    @Pothulapati!)
  * Moved the tap service into its own pod
  * **New** Control plane installations now generate a self-signed certificate
    and private key pair for each webhook, to prepare for future work to make
    the proxy injector and service profile validator HA
  * Added the ` config.linkerd.io/enable-debug-sidecar` annotation allowing the
    `--enable-debug-sidecar` flag to work when auto-injecting Linkerd proxies
  * Added multiple replicas for the `proxy-injector` and `sp-validator`
    controllers when run in high availability mode (thanks to @Pothulapati!)
  * Defined least privilege default security context values for the proxy
    container so that auto-injection does not fail (thanks @codeman9!)
  * Default the webhook failure policy to `Fail` in order to account for
    unexpected errors during auto-inject; this ensures uninjected applications
    are not deployed
  * Introduced control plane's PSP and RBAC resources into Helm templates; these
    policies are only in effect if the PSP admission controller is enabled
  * Removed `UPDATE` operation from proxy-injector webhook because pod mutations
    are disallowed during update operations
  * Default the mutating and validating webhook configurations `sideEffects`
    property to `None` to indicate that the webhooks have no side effects on
    other resources (thanks @Pothulapati!)
  * Added support for the SMI TrafficSplit API which allows users to define
    traffic splits in TrafficSplit custom resources
  * Added the `linkerd.io/control-plane-ns` label to all Linkerd resources
    allowing them to be identified using a label selector
  * Added Prometheus metrics for the Kubernetes watchers in the destination
    service for better visibility
* Proxy
  * Replaced the fixed reconnect backoff with an exponential one (thanks,
    @zaharidichev!)
  * Fixed an issue where load balancers can become stuck
  * Added a dispatch timeout that limits the amount of time a request can be
    buffered in the proxy
  * Removed the limit on the number of concurrently active service discovery
    queries to the destination service
  * Fix an epoll notification issue that could cause excessive CPU usage
  * Added the ability to disable tap by setting an env var (thanks,
    @zaharidichev!)
  * Changed the proxy's routing behavior so that, when the control plane does
    not resolve a destination, the proxy forwards the request with minimal
    additional routing logic
  * Fixed a bug in the proxy's HPACK codec that could cause requests with very
    large header values to hang indefinitely
  * Fixed a memory leak that can occur if an HTTP/2 request with a payload ends
    before the entire payload is sent to the destination
  * The `l5d-override-dst` header is now used for inbound service profile
    discovery
  * Added errors totals to `response_total` metrics
  * Changed the load balancer to require that Kubernetes services are resolved
    via the control plane
  * Added the `NET_RAW` capability to the proxy-init container to be compatible
    with `PodSecurityPolicy`s that use `drop: all`
  * Fixed the proxy rejecting HTTP2 requests that don't have an `:authority`
  * Improved idle service eviction to reduce resource consumption for clients
    that send requests to many services
  * Fixed proxied HTTP/2 connections returning 502 errors when the upstream
    connection is reset, rather than propagating the reset to the client
  * Changed the proxy to treat unexpected HTTP/2 frames as stream errors rather
    than connection errors
  * Fixed a bug where DNS queries could persist longer than necessary
  * Improved router eviction to remove idle services in a more timely manner
  * Fixed a bug where the proxy would fail to process requests with obscure
    characters in the URI
* Web UI
  * Added the Font Awesome stylesheet locally; this allows both Font Awesome and
    Material-UI sidebar icons to display consistently with no/limited internet
    access (thanks again, @liquidslr!)
  * Removed the Authorities table and sidebar link from the dashboard to prepare
    for a new, improved dashboard view communicating authority data
  * Fixed dashboard behavior that caused incorrect table sorting
  * Removed the "Debug" page from the Linkerd dashboard while the functionality
    of that page is being redesigned
  * Added an Edges table to the resource detail view that shows the source,
    destination name, and identity for proxied connections
  * Improved UI for Edges table in dashboard by changing column names, adding a
    "Secured" icon and showing an empty Edges table in the case of no returned
    edges
* Internal
  * Known container errors were hidden in the integration tests; now they are
    reported in the output without having the tests fail
  * Fixed integration tests by adding known proxy-injector log warning to tests
  * Modified the integration test for `linkerd upgrade` in order to test
    upgrading from the latest stable release instead of the latest edge and
    reflect the typical use case
  * Moved the proxy-init container to a separate `linkerd/proxy-init` Git
    repository

Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
This commit is contained in:
Kevin Leimkuhler 2019-07-09 16:29:04 -07:00 committed by GitHub
parent c5b0659a51
commit a63c9cedc9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 204 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

204
CHANGES.md
View File

@ -1,3 +1,207 @@
## stable-2.4.0
This release adds traffic splitting functionality, support for the Kubernetes
Service Mesh Interface (SMI), graduates high-availability support out of
experimental status, and adds a tremendous list of other improvements,
performance enhancements, and bug fixes.
Linkerd's new traffic splitting feature allows users to dynamically control the
percentage of traffic destined for a service. This powerful feature can be used
to implement rollout strategies like canary releases and blue-green deploys.
Support for the [Service Mesh Interface](https://smi-spec.io) (SMI) makes it
easier for ecosystem tools to work across all service mesh implementations.
Along with the introduction of optional install stages via the `linkerd install
config` and `linkerd install control-plane` commands, the default behavior of
the `linkerd inject` command only adds annotations and defers injection to the
always-installed proxy injector component.
Finally, there have been many performance and usability improvements to the
proxy and UI, as well as production-ready features including:
* A new `linkerd edges` command that provides fine-grained observability into
the TLS-based identity system
* A `--enable-debug-sidecar` flag for the `linkerd inject` command that improves
debugging efforts
Linkerd recently passed a CNCF-sponsored security audit! Check out the in-depth
report [here](https://github.com/linkerd/linkerd2/blob/master/SECURITY_AUDIT.pdf).
To install this release, run: `curl https://run.linkerd.io/install | sh`
**Upgrade notes**: Use the `linkerd upgrade` command to upgrade the control
plane. This command ensures that all existing control plane's configuration and
mTLS secrets are retained. For more details, please see the [upgrade
instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-4-0) for more details.
**Special thanks to**: @alenkacz, @codeman9, @dwj300, @jackprice, @liquidslr
@matej-g, @Pothulapati, @zaharidichev,
**Full release notes**:
* CLI
* **Breaking Change** Removed the `--proxy-auto-inject` flag, as the proxy
injector is now always installed
* **Breaking Change** Replaced the `--linkerd-version` flag with the
`--proxy-version` flag in the `linkerd install` and `linkerd upgrade`
commands, which allows setting the version for the injected proxy sidecar
image, without changing the image versions for the control plane
* Introduced install stages: `linkerd install config` and `linkerd install
control-plane`
* Introduced upgrade stages: `linkerd upgrade config` and `linkerd upgrade
control-plane`
* Introduced a new `--from-manifests` flag to `linkerd upgrade` allowing
manually feeding a previously saved output of `linkerd install` into the
command, instead of requiring a connection to the cluster to fetch the
config
* Introduced a new `--manual` flag to `linkerd inject` to output the proxy
sidecar container spec
* Introduced a new `--enable-debug-sidecar` flag to `linkerd inject`, that
injects a debug sidecar to inspect traffic to and from the meshed pod
* Added a new check for unschedulable pods and PSP issues (thanks,
@liquidslr!)
* Disabled the spinner in `linkerd check` when running without a TTY
* Ensured the ServiceAccount for the proxy injector is created before its
Deployment to avoid warnings when installing the proxy injector (thanks,
@dwj300!)
* Added a `linkerd check config` command for verifying that `linkerd install
config` was successful
* Improved the help documentation of `linkerd install` to clarify flag usage
* Added support for private Kubernetes clusters by changing the CLI to connect
to the control plane using a port-forward (thanks, @jackprice!)
* Fixed `linkerd check` and `linkerd dashboard` failing when any control plane
pod is not ready, even when multiple replicas exist (as in HA mode)
* **New** Added a `linkerd edges` command that shows the source and
destination name and identity for proxied connections, to assist in
debugging
* Tap can now be disabled for specific pods during injection by using the
`--disable-tap` flag, or by using the `config.linkerd.io/disable-tap`
annotation
* Introduced pre-install healthcheck for clock skew (thanks, @matej-g!)
* Added a JSON option to the `linkerd edges` command so that output is
scripting friendly and can be parsed easily (thanks @alenkacz!)
* Fixed an issue when Linkerd is installed with `--ha`, running `linkerd
upgrade` without `--ha` will disable the high availability control plane
* Fixed an issue with `linkerd upgrade` where running without `--ha` would
unintentionally disable high availability features if they were previously
enabled
* Added a `--init-image-version` flag to `linkerd inject` to override the
injected proxy-init container version
* Added the `--linkerd-cni-enabled` flag to the `install` subcommands so that
`NET_ADMIN` capability is omitted from the CNI-enabled control plane's PSP
* Updated `linkerd check` to validate the caller can create
`PodSecurityPolicy` resources
* Added a check to `linkerd install` to prevent installing multiple control
planes into different namespaces avoid conflicts between global resources
* Added support for passing a URL directly to `linkerd inject` (thanks
@Pothulapati!)
* Added more descriptive output to the `linkerd check` output for control
plane ReplicaSet readiness
* Refactored the `linkerd endpoints` to use the same interface as used by the
proxy for service discovery information
* Fixed a bug where `linkerd inject` would fail when given a path to a file
outside the current directory
* Graduated high-availability support out of experimental status
* Modified the error message for `linkerd install` to provide instructions for
proceeding when an existing installation is found
* Controller
* Added Go pprof HTTP endpoints to all control plane components' admin servers
to better assist debugging efforts
* Fixed bug in the proxy injector, where sporadically the pod workload owner
wasn't properly determined, which would result in erroneous stats
* Added support for a new `config.linkerd.io/disable-identity` annotation to
opt out of identity for a specific pod
* Fixed pod creation failure when a `ResourceQuota` exists by adding a default
resource spec for the proxy-init init container
* Fixed control plane components failing on startup when the Kubernetes API
returns an `ErrGroupDiscoveryFailed`
* Added Controller Component Labels to the webhook config resources (thanks,
@Pothulapati!)
* Moved the tap service into its own pod
* **New** Control plane installations now generate a self-signed certificate
and private key pair for each webhook, to prepare for future work to make
the proxy injector and service profile validator HA
* Added the ` config.linkerd.io/enable-debug-sidecar` annotation allowing the
`--enable-debug-sidecar` flag to work when auto-injecting Linkerd proxies
* Added multiple replicas for the `proxy-injector` and `sp-validator`
controllers when run in high availability mode (thanks to @Pothulapati!)
* Defined least privilege default security context values for the proxy
container so that auto-injection does not fail (thanks @codeman9!)
* Default the webhook failure policy to `Fail` in order to account for
unexpected errors during auto-inject; this ensures uninjected applications
are not deployed
* Introduced control plane's PSP and RBAC resources into Helm templates; these
policies are only in effect if the PSP admission controller is enabled
* Removed `UPDATE` operation from proxy-injector webhook because pod mutations
are disallowed during update operations
* Default the mutating and validating webhook configurations `sideEffects`
property to `None` to indicate that the webhooks have no side effects on
other resources (thanks @Pothulapati!)
* Added support for the SMI TrafficSplit API which allows users to define
traffic splits in TrafficSplit custom resources
* Added the `linkerd.io/control-plane-ns` label to all Linkerd resources
allowing them to be identified using a label selector
* Added Prometheus metrics for the Kubernetes watchers in the destination
service for better visibility
* Proxy
* Replaced the fixed reconnect backoff with an exponential one (thanks,
@zaharidichev!)
* Fixed an issue where load balancers can become stuck
* Added a dispatch timeout that limits the amount of time a request can be
buffered in the proxy
* Removed the limit on the number of concurrently active service discovery
queries to the destination service
* Fix an epoll notification issue that could cause excessive CPU usage
* Added the ability to disable tap by setting an env var (thanks,
@zaharidichev!)
* Changed the proxy's routing behavior so that, when the control plane does
not resolve a destination, the proxy forwards the request with minimal
additional routing logic
* Fixed a bug in the proxy's HPACK codec that could cause requests with very
large header values to hang indefinitely
* Fixed a memory leak that can occur if an HTTP/2 request with a payload ends
before the entire payload is sent to the destination
* The `l5d-override-dst` header is now used for inbound service profile
discovery
* Added errors totals to `response_total` metrics
* Changed the load balancer to require that Kubernetes services are resolved
via the control plane
* Added the `NET_RAW` capability to the proxy-init container to be compatible
with `PodSecurityPolicy`s that use `drop: all`
* Fixed the proxy rejecting HTTP2 requests that don't have an `:authority`
* Improved idle service eviction to reduce resource consumption for clients
that send requests to many services
* Fixed proxied HTTP/2 connections returning 502 errors when the upstream
connection is reset, rather than propagating the reset to the client
* Changed the proxy to treat unexpected HTTP/2 frames as stream errors rather
than connection errors
* Fixed a bug where DNS queries could persist longer than necessary
* Improved router eviction to remove idle services in a more timely manner
* Fixed a bug where the proxy would fail to process requests with obscure
characters in the URI
* Web UI
* Added the Font Awesome stylesheet locally; this allows both Font Awesome and
Material-UI sidebar icons to display consistently with no/limited internet
access (thanks again, @liquidslr!)
* Removed the Authorities table and sidebar link from the dashboard to prepare
for a new, improved dashboard view communicating authority data
* Fixed dashboard behavior that caused incorrect table sorting
* Removed the "Debug" page from the Linkerd dashboard while the functionality
of that page is being redesigned
* Added an Edges table to the resource detail view that shows the source,
destination name, and identity for proxied connections
* Improved UI for Edges table in dashboard by changing column names, adding a
"Secured" icon and showing an empty Edges table in the case of no returned
edges
* Internal
* Known container errors were hidden in the integration tests; now they are
reported in the output without having the tests fail
* Fixed integration tests by adding known proxy-injector log warning to tests
* Modified the integration test for `linkerd upgrade` in order to test
upgrading from the latest stable release instead of the latest edge and
reflect the typical use case
* Moved the proxy-init container to a separate `linkerd/proxy-init` Git
repository
## edge-19.7.3
* CLI