diff --git a/CHANGES.md b/CHANGES.md index 126e448c5..51d3846c9 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,207 @@ +## stable-2.4.0 + +This release adds traffic splitting functionality, support for the Kubernetes +Service Mesh Interface (SMI), graduates high-availability support out of +experimental status, and adds a tremendous list of other improvements, +performance enhancements, and bug fixes. + +Linkerd's new traffic splitting feature allows users to dynamically control the +percentage of traffic destined for a service. This powerful feature can be used +to implement rollout strategies like canary releases and blue-green deploys. +Support for the [Service Mesh Interface](https://smi-spec.io) (SMI) makes it +easier for ecosystem tools to work across all service mesh implementations. + +Along with the introduction of optional install stages via the `linkerd install +config` and `linkerd install control-plane` commands, the default behavior of +the `linkerd inject` command only adds annotations and defers injection to the +always-installed proxy injector component. + +Finally, there have been many performance and usability improvements to the +proxy and UI, as well as production-ready features including: +* A new `linkerd edges` command that provides fine-grained observability into + the TLS-based identity system +* A `--enable-debug-sidecar` flag for the `linkerd inject` command that improves + debugging efforts + +Linkerd recently passed a CNCF-sponsored security audit! Check out the in-depth +report [here](https://github.com/linkerd/linkerd2/blob/master/SECURITY_AUDIT.pdf). + +To install this release, run: `curl https://run.linkerd.io/install | sh` + +**Upgrade notes**: Use the `linkerd upgrade` command to upgrade the control +plane. This command ensures that all existing control plane's configuration and +mTLS secrets are retained. For more details, please see the [upgrade +instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-4-0) for more details. + +**Special thanks to**: @alenkacz, @codeman9, @dwj300, @jackprice, @liquidslr +@matej-g, @Pothulapati, @zaharidichev, + +**Full release notes**: + +* CLI + * **Breaking Change** Removed the `--proxy-auto-inject` flag, as the proxy + injector is now always installed + * **Breaking Change** Replaced the `--linkerd-version` flag with the + `--proxy-version` flag in the `linkerd install` and `linkerd upgrade` + commands, which allows setting the version for the injected proxy sidecar + image, without changing the image versions for the control plane + * Introduced install stages: `linkerd install config` and `linkerd install + control-plane` + * Introduced upgrade stages: `linkerd upgrade config` and `linkerd upgrade + control-plane` + * Introduced a new `--from-manifests` flag to `linkerd upgrade` allowing + manually feeding a previously saved output of `linkerd install` into the + command, instead of requiring a connection to the cluster to fetch the + config + * Introduced a new `--manual` flag to `linkerd inject` to output the proxy + sidecar container spec + * Introduced a new `--enable-debug-sidecar` flag to `linkerd inject`, that + injects a debug sidecar to inspect traffic to and from the meshed pod + * Added a new check for unschedulable pods and PSP issues (thanks, + @liquidslr!) + * Disabled the spinner in `linkerd check` when running without a TTY + * Ensured the ServiceAccount for the proxy injector is created before its + Deployment to avoid warnings when installing the proxy injector (thanks, + @dwj300!) + * Added a `linkerd check config` command for verifying that `linkerd install + config` was successful + * Improved the help documentation of `linkerd install` to clarify flag usage + * Added support for private Kubernetes clusters by changing the CLI to connect + to the control plane using a port-forward (thanks, @jackprice!) + * Fixed `linkerd check` and `linkerd dashboard` failing when any control plane + pod is not ready, even when multiple replicas exist (as in HA mode) + * **New** Added a `linkerd edges` command that shows the source and + destination name and identity for proxied connections, to assist in + debugging + * Tap can now be disabled for specific pods during injection by using the + `--disable-tap` flag, or by using the `config.linkerd.io/disable-tap` + annotation + * Introduced pre-install healthcheck for clock skew (thanks, @matej-g!) + * Added a JSON option to the `linkerd edges` command so that output is + scripting friendly and can be parsed easily (thanks @alenkacz!) + * Fixed an issue when Linkerd is installed with `--ha`, running `linkerd + upgrade` without `--ha` will disable the high availability control plane + * Fixed an issue with `linkerd upgrade` where running without `--ha` would + unintentionally disable high availability features if they were previously + enabled + * Added a `--init-image-version` flag to `linkerd inject` to override the + injected proxy-init container version + * Added the `--linkerd-cni-enabled` flag to the `install` subcommands so that + `NET_ADMIN` capability is omitted from the CNI-enabled control plane's PSP + * Updated `linkerd check` to validate the caller can create + `PodSecurityPolicy` resources + * Added a check to `linkerd install` to prevent installing multiple control + planes into different namespaces avoid conflicts between global resources + * Added support for passing a URL directly to `linkerd inject` (thanks + @Pothulapati!) + * Added more descriptive output to the `linkerd check` output for control + plane ReplicaSet readiness + * Refactored the `linkerd endpoints` to use the same interface as used by the + proxy for service discovery information + * Fixed a bug where `linkerd inject` would fail when given a path to a file + outside the current directory + * Graduated high-availability support out of experimental status + * Modified the error message for `linkerd install` to provide instructions for + proceeding when an existing installation is found +* Controller + * Added Go pprof HTTP endpoints to all control plane components' admin servers + to better assist debugging efforts + * Fixed bug in the proxy injector, where sporadically the pod workload owner + wasn't properly determined, which would result in erroneous stats + * Added support for a new `config.linkerd.io/disable-identity` annotation to + opt out of identity for a specific pod + * Fixed pod creation failure when a `ResourceQuota` exists by adding a default + resource spec for the proxy-init init container + * Fixed control plane components failing on startup when the Kubernetes API + returns an `ErrGroupDiscoveryFailed` + * Added Controller Component Labels to the webhook config resources (thanks, + @Pothulapati!) + * Moved the tap service into its own pod + * **New** Control plane installations now generate a self-signed certificate + and private key pair for each webhook, to prepare for future work to make + the proxy injector and service profile validator HA + * Added the ` config.linkerd.io/enable-debug-sidecar` annotation allowing the + `--enable-debug-sidecar` flag to work when auto-injecting Linkerd proxies + * Added multiple replicas for the `proxy-injector` and `sp-validator` + controllers when run in high availability mode (thanks to @Pothulapati!) + * Defined least privilege default security context values for the proxy + container so that auto-injection does not fail (thanks @codeman9!) + * Default the webhook failure policy to `Fail` in order to account for + unexpected errors during auto-inject; this ensures uninjected applications + are not deployed + * Introduced control plane's PSP and RBAC resources into Helm templates; these + policies are only in effect if the PSP admission controller is enabled + * Removed `UPDATE` operation from proxy-injector webhook because pod mutations + are disallowed during update operations + * Default the mutating and validating webhook configurations `sideEffects` + property to `None` to indicate that the webhooks have no side effects on + other resources (thanks @Pothulapati!) + * Added support for the SMI TrafficSplit API which allows users to define + traffic splits in TrafficSplit custom resources + * Added the `linkerd.io/control-plane-ns` label to all Linkerd resources + allowing them to be identified using a label selector + * Added Prometheus metrics for the Kubernetes watchers in the destination + service for better visibility +* Proxy + * Replaced the fixed reconnect backoff with an exponential one (thanks, + @zaharidichev!) + * Fixed an issue where load balancers can become stuck + * Added a dispatch timeout that limits the amount of time a request can be + buffered in the proxy + * Removed the limit on the number of concurrently active service discovery + queries to the destination service + * Fix an epoll notification issue that could cause excessive CPU usage + * Added the ability to disable tap by setting an env var (thanks, + @zaharidichev!) + * Changed the proxy's routing behavior so that, when the control plane does + not resolve a destination, the proxy forwards the request with minimal + additional routing logic + * Fixed a bug in the proxy's HPACK codec that could cause requests with very + large header values to hang indefinitely + * Fixed a memory leak that can occur if an HTTP/2 request with a payload ends + before the entire payload is sent to the destination + * The `l5d-override-dst` header is now used for inbound service profile + discovery + * Added errors totals to `response_total` metrics + * Changed the load balancer to require that Kubernetes services are resolved + via the control plane + * Added the `NET_RAW` capability to the proxy-init container to be compatible + with `PodSecurityPolicy`s that use `drop: all` + * Fixed the proxy rejecting HTTP2 requests that don't have an `:authority` + * Improved idle service eviction to reduce resource consumption for clients + that send requests to many services + * Fixed proxied HTTP/2 connections returning 502 errors when the upstream + connection is reset, rather than propagating the reset to the client + * Changed the proxy to treat unexpected HTTP/2 frames as stream errors rather + than connection errors + * Fixed a bug where DNS queries could persist longer than necessary + * Improved router eviction to remove idle services in a more timely manner + * Fixed a bug where the proxy would fail to process requests with obscure + characters in the URI +* Web UI + * Added the Font Awesome stylesheet locally; this allows both Font Awesome and + Material-UI sidebar icons to display consistently with no/limited internet + access (thanks again, @liquidslr!) + * Removed the Authorities table and sidebar link from the dashboard to prepare + for a new, improved dashboard view communicating authority data + * Fixed dashboard behavior that caused incorrect table sorting + * Removed the "Debug" page from the Linkerd dashboard while the functionality + of that page is being redesigned + * Added an Edges table to the resource detail view that shows the source, + destination name, and identity for proxied connections + * Improved UI for Edges table in dashboard by changing column names, adding a + "Secured" icon and showing an empty Edges table in the case of no returned + edges +* Internal + * Known container errors were hidden in the integration tests; now they are + reported in the output without having the tests fail + * Fixed integration tests by adding known proxy-injector log warning to tests + * Modified the integration test for `linkerd upgrade` in order to test + upgrading from the latest stable release instead of the latest edge and + reflect the typical use case + * Moved the proxy-init container to a separate `linkerd/proxy-init` Git + repository + ## edge-19.7.3 * CLI