From c1c1b3f0a35e923c9544348a83b706c07d19aa58 Mon Sep 17 00:00:00 2001
From: "Carol A. Scott" <carol@buoyant.io>
Date: Fri, 22 Mar 2019 13:26:30 -0700
Subject: [PATCH] Adding edge-19.3.3 updates (#2544)

This PR updates CHANGES.md with information about the newest edge release, 19.3.3.
---
 CHANGES.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index a8a1f673c..a3b504608 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,51 @@
+## edge-19.3.3
+
+**Significant Update**
+
+This edge release introduces a new TLS Identity system into the default Linkerd
+installation, replacing `tls=optional` and the `linkerd-ca` controller. Now,
+proxies generate ephemeral private keys into a tmpfs directory and dynamically
+refresh certificates, authenticated by Kubernetes ServiceAccount tokens, via the
+newly-introduced Identity controller.
+
+Now, all meshed HTTP communication is private and authenticated by default.
+
+* CLI
+  * Changed `install` to accept or generate an issuer Secret for the Identity
+    controller
+  * Changed `install` to fail in the case of a conflict with an existing
+    installation; this can be disabled with the `--ignore-cluster` flag
+  * Changed `inject` to require fetching a configuration from the control plane;
+    this can be disabled with the `--ignore-cluster` and `--disable-identity`
+    flags, though this will prevent the injected pods from participating in mesh
+    identity
+  * Removed the `--tls=optional` flag from the `linkerd install` command, since
+    TLS is now enabled by default
+  * Added the ability to adjust the Prometheus log level
+* Proxy
+  * **Fixed** a stream leak between the proxy and the control plane that could
+    cause the `linkerd-controller` pod to use an excessive amount of memory
+  * Introduced per-proxy private key generation and dynamic certificate renewal
+  * Added a readiness check endpoint on `:4191/ready` so that Kubernetes doesn't
+    consider pods ready until they have acquired a certificate from the Identity
+    controller
+  * The proxy's connect timeouts have been updated, especially to improve
+    reconnect behavior between the proxy and the control plane
+* Web UI
+  * Added TCP stats to the Linkerd Pod Grafana dashboard
+  * Fixed the behavior of the Top query 'Start' button if a user's query returns
+    no data
+  * Added stable sorting for table rows
+  * Fixed an issue with the order of tables returned from a Top Routes query
+  * Added text wrap for paths in the modal for expanded Tap query data
+* Internal
+  * Improved the `bin/go-run` script for the build process so that on failure,
+    all associated background processes are terminated
+
+Special thanks to @liquidslr for many useful UI and log changes, and to @mmalone
+and @sourishkrout at @smallstep for collaboration and advice on the Identity
+system!
+
 ## edge-19.3.2
 
 * Controller