This edge release is a release candidate for stable-2.9.0. It overhauls the
discovery and routing logic implemented by the proxy, simplifies the way that
Linkerd stores configuration, and adds new Helm values to configure additional
labels, annotations, and namespace selectors for webhooks.
* Added podLabels and podAnnotations Helm values to allow adding additional
labels or annotations to Linkerd control plane pods (thanks @tustvold!)
* Added namespaceSelector Helm value for configuring the namespace selector
used by admission webhooks (thanks @tustvold!)
* Expanded the 'linkerd edges' command to show TCP connections
* Overhauled the discovery and routing logic implemented by the proxy:
* The `l5d-dst-override` header is no longer honored
* When the application attempts to connect to a pod IP, the proxy no
longer load balances these requests among all pods in the service.
The proxy will now honor session-stickiness as selected by an
application-level load balancer
* `TrafficSplits` are only applied when a client targets a service's IP
* The proxy no longer performs DNS "canonicalization" to translate
relative host header names to a fully-qualified form
* Simplified the way that Linkerd stores its configuration. Configuration is
now stored as Helm values in the linkerd-config ConfigMap
* Renamed the --addon-config flag to --config to clarify this flag can be used
to set any Helm value
Signed-off-by: Alex Leong <alex@buoyant.io>
## edge-20.10.2
This edge release adds more improvements for mTLS for all TCP traffic.
It also includes significant internal improvements to the way Linkerd
configuration is stored within the cluster.
* Changed TCP metrics exported by the proxy to ensure that peer
identities are encoded via the `client_id` and `server_id` labels.
* Removed the dependency of control plane components on `linkerd-config`
* Updated the data structure `proxy-injector` uses to derive the configuration
used when injecting workloads
* Edge-20.10.1 changes
## edge-20.10.1
This edge release includes a couple of external contributions towards
improved cert-manager support and Grafana charts fixes, among other
enhancements.
* Changed the type of the injector and tap API secrets to `kubernetes.io/tls`,
so they can be provisioned by cert-manager (thanks @cypherfox!)
* Fixed the "Kubernetes cluster monitoring" Grafana dashboard that had a few
charts with incomplete data (thanks @aimbot31!)
* Fixed the `service-mirror` multicluster component so that it retries
connections to the target cluster's Kubernetes API when it's not reachable,
instead of blocking
* Increased the proxy's default timeout for DNS resolution to 500ms, as there
were reports that 100ms was too restrictive
Co-authored-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
## edge-20.9.4
This edge release introduces support for authenticated docker registries and
fixes a recent multicluster regression.
* Fixed a regression in multicluster gateway configurations that would forbid
inbound gateway traffic
* Upgraded bundled Grafana to v7.1.5
* Enabled Jaeger receiver in collector configuration in Helm chart (thanks
@olivierboudet!)
* Fixed skip port configuration being skipped in CNI plugin
* Introduced support for authenticated docker registries (thanks @c-n-c!)
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
This edge release includes fixes and updates for the control plane and
CLI.
* Added `--dest-cni-bin-dir` flag to the `linkerd install-cni` command,
to configure the directory on the host where the CNI binary will be
placed
* Removed `collector.name` and `jaeger.name` config fields from the
tracing addon
* Updated Jaeger to 1.19.2
* Fixed a warning about deprecated Go packages in controller container
logs
## edge-20.9.1
This edge release contains an important proxy update that allows linkerd to
continue to operate normally in HA during node outages. We're also adding full
Kubernetes 1.19 support!
* Improved the proxy's error handling for DNS errors encountered when
discovering control plane addresses, which can be common during installation,
before all components have been started
* The destination and identity services had to be made headless in order to
support that new controller discovery (which now can leverage SRV records)
* Use SAN fields when generating the linkerd webhook configs; this completes the
Kubernetes 1.19 support which enforces them
* Fixed `linkerd check` for multicluster that was spuriously claiming the
absence of some resources
* Improved the injection test cleanup (thanks @zhouhao3!)
* Added ability to run the integration test suite using a cluster in an ARM
architecture (thanks @aliariff!)
## edge-20.8.4
* Fixed a problem causing the `enable-endpoint-slices` flag to not be persisted
when set via `linkerd upgrade` (thanks @Matei207!)
* Removed SMI-Metrics templates and experimental sub-commands
* Use `--frozen-lockfile` to avoid accidental update of dashboard JS
dependencies in CI (thanks @tharun208!)
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
This edge release adds support for [topology-aware service routing][1]
to the Destination controller. When providing service discovery updates
to proxies, the Destination controller will now filter endpoints based
on the service's topology preferences. Additionally, this release
includes bug fixes for the `linkerd check` CLI command and web
dashboard.
* CLI
* `linkerd check` will no longer warn about a looser webhook failure
policy in HA mode
* Controller
* Added support for [topology-aware service routing][1] to the
Destination controller (thanks @Matei207)
* Changed the Destination controller to always return destination
overrides for service profiles when no traffic split is present
* Web UI
* Fixed Tap `Authority` dropdown not being populated (thanks to
@tharun208!)
[1]: https://kubernetes.io/docs/concepts/services-networking/service-topology/
This PR corrects misspellings identified by the [check-spelling action](https://github.com/marketplace/actions/check-spelling).
The misspellings have been reported at aaf440489e (commitcomment-41423663)
The action reports that the changes in this PR would make it happy: 5b82c6c5ca
Note: this PR does not include the action. If you're interested in running a spell check on every PR and push, that can be offered separately.
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
This edge adds multi-arch support to Linkerd! Our docker images and CLI now
support the amd64, arm64, and arm architectures.
* Multicluster
* Added a multicluster unlink command for removing multicluster links
* Improved multicluster checks to be more informative when the remote API is
not reachable
* Proxy
* Enabled a multi-threaded runtime to substantially improve latency especially
when the proxy is serving requests for many concurrent connections
* Other
* Fixed an issue where the debug sidecar image was missing during upgrades
(thanks @javaducky!)
* Updated all control plane plane and proxy container images to be multi-arch
to support amd64, arm64, and arm (thanks @aliariff!)
* Fixed an issue where check was failing when DisableHeartBeat was set to true
(thanks @mvaal!)
## edge-20.7.4
This edge release adds support for the new Kubernetes [EndpointSlice] resource
to the Destination controller. Using the EndpointSlice API is more efficient
for the Kubernetes control plane than using the Endpoints API. If the cluster
supports EndpointSlices (a beta feature in Kubernetes 1.17), Linkerd can be
installed with `--enable-endpoint-slices` flag to use this resource rather
than the Endpoints API.
* Added fish shell completions to the `linkerd` command (thanks @WLun001!)
* Enabled the support for EndpointSlices (thanks @Matei207!)
* Separated prometheus checks and made them runnable only when the add-on
is enabled
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
## edge-20.7.3
This edge release introduces an install flag for EndpointSlices. With this flag,
endpoint slices can be used as a resource in the destination service instead of
the endpoints resource.
* Introduce CLI and Helm install flag for EndpointSlices (thanks @Matei207!)
* Internal improvements to the CI process for testing Helm installations
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
This edge release moves Linkerd's bundled Prometheus into an add-on.
This makes the Linkerd Prometheus more configurable, gives it a separate
upgrade lifecycle from the rest of the control plane, and allows users
to disable the bundled Prometheus instance. In addition, this release
includes fixes for several issues, including a regression where the
proxy would fail to report OpenCensus spans.
* Prometheus is now an optional add-on, enabled by default
* Custom tolerations can now be specified for control plane resources
when installing with Helm (thanks @DesmondH0!)
* Evicted data plane pods are no longer considered to be failed by
`linkerd check --proxy`, fixing an issue where the check would be
retried indefinitely as long as evicted pods are present
* Fixed a regression where proxy spans were not reported to OpenCensus
* Fixed a bug where the proxy injector would fail to render skipped port
lists when installed with Helm
* Internal improvements to the proxy for lower latencies under high
concurrency
* Thanks to @Hellcatlk and @surajssd for adding new unit tests and
spelling fixes!
This edge release moves the proxy onto a new version of the Tokio runtime. This
allows us to more easily integrate with the ecosystem and may yield performance
benefits as well.
* Upgraded the proxy's underlying Tokio runtime and its related libraries
* Added support for PKCS8 formatted ECDSA private keys
* Added support for Helm configuration of per-component proxy resources requests
and limits (thanks @cypherfox!)
* Updated the `linkerd inject` command to throw an error while injecting
non-compliant pods (thanks @mayankshah1607)
Signed-off-by: Alex Leong <alex@buoyant.io>
* Release notes for stable-2.8.1
This release fixes multicluster gateways support on EKS.
* The multicluster service-mirror has been extended to resolve DNS names for
target clusters when an IP address is not known.
* Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger
for providing a fix!
* Have the service mirror controller check in `linkerd check` retry on failures.
* As of this version we're including a Chocolatey package (Windows) next to the
other binaries in the release assets in GitHub.
* Base images have been updated:
* debian:buster-20200514-slim
* grafana/grafana:7.0.3
* The shell scripts under `bin` continued to be improved, thanks to @joakimr-axis!
## edge-20.6.3
This edge release is a release candidate for stable-2.8.1. It includes a fix
to support multicluster gateways on EKS.
* The `config.linkerd.io/proxy-destination-get-networks` annotation configures
the networks for which a proxy can discover metadata. This is an advanced
configuration option that has security implications.
* The multicluster service-mirror has been extended to resolve DNS names for
target clusters when an IP address it not known.
* Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger
for providing a fix!
* The CLI will be published for Chocolatey (Windows) on future stable releases.
* Base images have been updated:
* debian:buster-20200514-slim
* grafana/grafana:7.0.3
Signed-off-by: Zahari Dichev zaharidichev@gmail.com
Co-authored-by: Oliver Gould <ver@buoyant.io>
## edge-20.6.1
This edge release is a release candidate for `stable-2.8`! It introduces several
improvements and fixes for multicluster support.
* CLI
* Added multicluster daisy chain checks to `linkerd check`
* Added list of successful gatways in multicluster checks section of `linkerd
check`
* Controller
* Renamed multicluster gateway ports to `mc-gateway` and `mc-probe`
* Fixed Service Profiles routes for `linkerd-prometheus`
* Internal
* Fixed array handling in the `bin/fmt` script
* Improved error reporting for scripts in failed CI runs
* Improved logs and event reporting in CI for all integration test failures
* Fixed `uname` flags for Darwin in the `bin/lint` script
* Fixed shellcheck errors in all `bin/` scripts (thanks @joakimr-axis!)
* Helm
* Added support for `linkerd mc allow`
* Added ability to disable secret rescources for self-signed certs (thanks
@cypherfox!)
* Proxy
* Modified the `linkerd-gateway` component to use the inbound proxy, rather
than nginx, for gateway; this allows Linkerd to detect loops and propogate
identity
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
* CLI
* Fixed the display of the meshed pod column for non-selector services in
`linkerd stat` output
* Added an `addon-overwrite` upgrade flag which allows users to overwrite the
existing addon config rather than merging into it
* Added a `--close-wait-timeout` inject flag which sets the
`nf_conntrack_tcp_timeout_close_wait` property which can be used to mitigate
connection issues with application that hold half-closed sockets
* Controller
* Restricted the service-mirror's RBAC permissions so that it no longer is
able to read secrets in all namespaces
* Moved many multicluster components into the `linkerd-multicluster` namespace
by default
* Added multicluster gateway mirror services to allow multicluster liveness
probes to work in private networks
* Fixed an issue where multicluster gateway mirror services could be
incorrectly deleted during a resync
* Internal
* Fixed many style issues in build scripts (thanks @joakimr-axis!)
* Helm
* Added `global.grafanaUrl` variable to allow using an existing Grafana
installation
Signed-off-by: Alex Leong <alex@buoyant.io>
* CLI
* Added a section to the `linkerd check` that validates that all
clusters part of a multicluster setup have compatible trust anchors
* Modified the `inkerd cluster export-service` command to work by
transforming yaml instead of modifying cluster state
* Added functionality that allows the `linkerd cluster export-service`
command to operate on lists of services
* Controller
* Changed the multicluster gateway to always require TLS on connections
originating from outside the cluster
* Removed admin server timeouts from control plane components, thereby
fixing a bug that can cause liveness checks to fail
* Helm
* Moved Grafana templates into a separate add-on chart
* Proxy
* Improved latency under high-concurrency use cases.
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
## edge-20.5.1
* CLI
* Fixed all commands to use kubeconfig's default namespace if specified
(thanks @Matei207!)
* Added multicluster checks to the `linkerd check` command
* Hid development flags in the `linkerd install` command for release builds
* Controller
* Added ability to configure Prometheus Altermanager as well as recording
and alerting rules on the Linkerd Prometheus (thanks @naseemkullah!)
* Added ability to add more commandline flags to the Prometheus command
(thanks @naseemkullah!)
* Web UI
* Fixed TrafficSplit detail page not loading
* Added Jaeger links to the dashboard when the tracing addon is enabled
* Proxy
* Modified internal buffering to avoid idling out services as a request
arrives, fixing failures for requests that are sent exactly once per
minute--such as Prometheus scrapes
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
* update changelog for edge-20.4.5
This edge release includes several new CLI commands for use with
multi-cluster gateways, and adds liveness checks and metrics for
gateways. Additionally, it makes the proxy's gRPC error-handling
behavior more consistent with other implementations, and includes a fix
for a bug in the web UI.
* CLI
* Added `linkerd cluster setup-remote` command for setting up a
multi-cluster gateway
* Added `linkerd cluster gateways` command to display stats for
multi-cluster gateways
* Changed `linkerd cluster export-service` to modify a provided YAML
file and output it, rather than mutating the cluster
* Controller
* Added liveness checks and Prometheus metrics for multi-cluster
gateways
* Changed the proxy injector to configure proxies to do destination
lookups for IPs in the private IP range
* Web UI
* Fixed errors when viewing resource detail pages
* Internal
* Created script and config to build a Linkerd CLI Chocolatey package
for Windows users, which will be published with stable releases
(thanks to @drholmie!)
* Proxy
* Changed the proxy to set a `grpc-status: UNAVAILABLE` trailer when a
gRPC response stream is interrupted by a transport error
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* review feedback
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
*## edge-20.4.2
This release brings a number of CLI fixes and Controller improvements.
* CLI
* Fixed a bug that caused the proxy to crash after upgrade if
`--skip-outbound-ports` or `--skip-inbound-ports` were used
* Added `unmeshed` flag to the `stat` command, such that unmeshed resources
are only displayed if the user opts-in
* Added a `--smi-metrics` flag to `install`, to allow installation of the
experimental `linkerd-smi-metrics` component
* Fixed a bug in `linkerd stat`, causing incorrect output formatting when using
the `wide` flag
* Fixed a bug, causing `linkerd uninstall` to fail when attempting to delete
PSPs
* Controller
* Improved the anti-affinity of `linkerd-smi-metrics` deployment to avoid
pod scheduling problems during `upgrade`
* Improved endpoints change detection in the `destinations` service, enabling
mirrored remote services to change cluster gateways
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
* edge-20.4.1
This release introduces some cool new functionalities, all provided by our
awesome community of contributors! Also two bugs were fixed that were introduced
since edge-20.3.2.
* CLI
* Added `linkerd uninstall` command to uninstall the control plane (thanks
@Matei207!)
* Fixed a bug causing `linkerd routes -o wide` to not show the proper actual
success rate
* Controller
* Fail proxy injection if the pod spec has `automountServiceAccountToken`
disabled (thanks @mayankshah1607!)
* Web UI
* Added a route dashboard to Grafana (thanks @lundbird!)
* Proxy
* Fixed a bug causing the proxy's inbound to spuriously return 503 timeouts
This release introduces several fixes and improvements to the CLI.
* CLI
* Added support for kubectl-style label selectors in many CLI commands (thanks
@mayankshah1607!)
* Fixed the path regex in service profiles generated from proto files without
a package name (thanks @amariampolskiy!)
* Fixed an error when injecting Cronjobs that have no metadata
* Relaxed the clock skew check to match the default node heartbeat interval
on Kubernetes 1.17 and made this check a warning
* Fixed a bug where the linkerd-smi-metrics pod could not be created on
clusters with pod security policy enabled
* Internal
* Upgraded tracing components to more recent versions and improved resource
defaults (thanks @Pothulapati!)
Signed-off-by: Alex Leong <alex@buoyant.io>
## edge-20.3.3
This release introduces new experimental CLI commands for querying metrics using
the Service Mesh Interface (SMI) and for multi-cluster support via service
mirroring.
If you would like to learn more about service mirroring or SMI, or are
interested in experimenting with these features, please join us in
[Linkerd Slack](https://slack.linkerd.io) for help and feedback.
* CLI
* Added experimental `linkerd cluster` commands for managing multi-cluster
service mirroring
* Added the experimental `linkerd alpha clients` command, which uses the
smi-metrics API to display client-side metrics from each of a resource's
clients
* Added retries to some `linkerd check` checks to prevent spurious failures
when run immediately after cluster creation or Linkerd installation
## edge-20.2.3
This release introduces the first optional add-on `tracing`, added through the
new add-on model!
The existing optional `tracing` components Jaeger and OpenCensus can now be
installed as add-on components.
There will be more information to come about the new add-on model, but please
refer to the details of [#3955](https://github.com/linkerd/linkerd2/pull/3955) for how to get started.
* CLI
* Added the `linkerd diagnostics` command to get metrics only from the
control plane, excluding metrics from the data plane proxies (thanks
@srv-twry!)
* Added the `linkerd install --prometheus-image` option for installing a
custom Prometheus image (thanks @christyjacob4!)
* Fixed an issue with `linkerd upgrade` where changes to the `Namespace`
object were ignored (thanks @supra08!)
* Controller
* Added the `tracing` add-on which installs Jaeger and OpenCensus as add-on
components (thanks @Pothulapati!!)
* Proxy
* Increased the inbound router's default capacity from 100 to 10k to
accommodate environments that have a high cardinality of virtual hosts
served by a single pod
* Web UI
* Fixed styling in the CallToAction banner (thanks @aliariff!)
## stable-2.7.0
This release adds support for integrating Linkerd's PKI with an external
certificate issuer such as [`cert-manager`] as well as streamlining the
certificate rotation process in general. For more details about cert-manager
and certificate rotation, see the
[docs](https://linkerd.io/2/tasks/use_external_certs/). This release also
includes performance improvements to the dashboard, reduced memory usage of the
proxy, various improvements to the Helm chart, and much much more.
To install this release, run: `curl https://run.linkerd.io/install | sh`
**Upgrade notes**: This release includes breaking changes to our Helm charts.
Please see the [upgrade instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-270).
**Special thanks to**: @alenkacz, @bmcstdio, @daxmc99, @droidnoob, @ereslibre,
@javaducky, @joakimr-axis, @JohannesEH, @KIVagant, @mayankshah1607,
@Pothulapati, and @StupidScience!
**Full release notes**:
* CLI
* Updated the mTLS trust anchor checks to eliminate false positives caused by
extra trailing spaces
* Reduced the severity level of the Linkerd version checks, so that they
don't fail when the external version endpoint is unreachable
(thanks @mayankshah1607!)
* Added a new `tap` APIService check to aid with uncovering Kubernetes API
aggregatation layer issues (thanks @droidnoob!)
* Introduced CNI checks to confirm the CNI plugin is installed and ready;
this is done through `linkerd check --pre --linkerd-cni-enabled` before
installation and `linkerd check` after installation if the CNI plugin is
present
* Added support for the `--as-group` flag so that users can impersonate
groups for Kubernetes operations (thanks @mayankshah1607!)
* Added HA specific checks to `linkerd check` to ensure that the `kube-system`
namespace has the `config.linkerd.io/admission-webhooks:disabled`
label set
* Fixed a problem causing the presence of unnecessary empty fields in
generated resource definitions (thanks @mayankshah1607)
* Added the ability to pass both port numbers and port ranges to
`--skip-inbound-ports` and `--skip-outbound-ports` (thanks to @javaducky!)
* Increased the comprehensiveness of `linkerd check --pre`
* Added TLS certificate validation to `check` and `upgrade` commands
* Added support for injecting CronJobs and ReplicaSets, as well as the ability
to use them as targets in the CLI subcommands
* Introduced the new flags `--identity-issuer-certificate-file`,
`--identity-issuer-key-file` and `identity-trust-anchors-file` to `linkerd
upgrade` to support trust anchor and issuer certificate rotation
* Added a check that ensures using `--namespace` and `--all-namespaces`
results in an error as they are mutually exclusive
* Added a `Dashboard.Replicas` parameter to the Linkerd Helm chart to allow
configuring the number of dashboard replicas (thanks @KIVagant!)
* Removed redundant service profile check (thanks @alenkacz!)
* Updated `uninject` command to work with namespace resources
(thanks @mayankshah1607!)
* Added a new `--identity-external-issuer` flag to `linkerd install` that
configures Linkerd to use certificates issued by an external certificate
issuer (such as `cert-manager`)
* Added support for injecting a namespace to `linkerd inject` (thanks
@mayankshah1607!)
* Added checks to `linkerd check --preinstall` ensuring Kubernetes Secrets
can be created and accessed
* Fixed `linkerd tap` sometimes displaying incorrect pod names for unmeshed
IPs that match multiple running pods
* Made `linkerd install --ignore-cluster` and `--skip-checks` faster
* Fixed a bug causing `linkerd upgrade` to fail when used with
`--from-manifest`
* Made `--cluster-domain` an install-only flag (thanks @bmcstdio!)
* Updated `check` to ensure that proxy trust anchors match configuration
(thanks @ereslibre!)
* Added condition to the `linkerd stat` command that requires a window size
of at least 15 seconds to work properly with Prometheus
* Controller
* Fixed an issue where an override of the Docker registry was not being
applied to debug containers (thanks @javaducky!)
* Added check for the Subject Alternate Name attributes to the API server
when access restrictions have been enabled (thanks @javaducky!)
* Added support for arbitrary pod labels so that users can leverage the
Linkerd provided Prometheus instance to scrape for their own labels
(thanks @daxmc99!)
* Fixed an issue with CNI config parsing
* Fixed a race condition in the `linkerd-web` service
* Updated Prometheus to 2.15.2 (thanks @Pothulapati)
* Increased minimum kubernetes version to 1.13.0
* Added support for pod ip and service cluster ip lookups in the destination
service
* Added recommended kubernetes labels to control-plane
* Added the `--wait-before-exit-seconds` flag to linkerd inject for the proxy
sidecar to delay the start of its shutdown process (a huge commit from
@KIVagant, thanks!)
* Added a pre-sign check to the identity service
* Fixed inject failures for pods with security context capabilities
* Added `conntrack` to the `debug` container to help with connection tracking
debugging
* Fixed a bug in `tap` where mismatch cluster domain and trust domain caused
`tap` to hang
* Fixed an issue in the `identity` RBAC resource which caused start up errors
in k8s 1.6 (thanks @Pothulapati!)
* Added support for using trust anchors from an external certificate issuer
(such as `cert-mananger`) to the `linkerd-identity` service
* Added support for headless services (thanks @JohannesEH!)
* Helm
* **Breaking change**: Renamed `noInitContainer` parameter to `cniEnabled`
* **Breaking Change** Updated Helm charts to follow best practices (thanks
@Pothulapati and @javaducky!)
* Fixed an issue with `helm install` where the lists of ignored inbound and
outbound ports would not be reflected
* Fixed the `linkerd-cni` Helm chart not setting proper namespace annotations
and labels
* Fixed certificate issuance lifetime not being set when installing through
Helm
* Updated the helm build to retain previous releases
* Moved CNI template into its own Helm chart
* Proxy
* Fixed an issue that could cause the OpenCensus exporter to stall
* Improved error classification and error responses for gRPC services
* Fixed a bug where the proxy could stop receiving service discovery updates,
resulting in 503 errors
* Improved debug/error logging to include detailed contextual information
* Fixed a bug in the proxy's logging subsystem that could cause the proxy to
consume memory until the process is OOM killed, especially when the proxy was
configured to log diagnostic information
* Updated proxy dependencies to address RUSTSEC-2019-0033, RUSTSEC-2019-0034,
and RUSTSEC-2020-02
* Web UI
* Fixed an error when refreshing an already open dashboard when the Linkerd
version has changed
* Increased the speed of the dashboard by pausing network activity when the
dashboard is not visible to the user
* Added support for CronJobs and ReplicaSets, including new Grafana dashboards
for them
* Added `linkerd check` to the dashboard in the `/controlplane` view
* Added request and response headers to the `tap` expanded view in the
dashboard
* Added filter to namespace select button
* Improved how empty tables are displayed
* Added `Host:` header validation to the `linkerd-web` service, to protect
against DNS rebinding attacks
* Made the dashboard sidebar component responsive
* Changed the navigation bar color to the one used on the [Linkerd](https://linkerd.io/) website
* Internal
* Added validation to incoming sidecar injection requests that ensures
the value of `linkerd.io/inject` is either `enabled` or `disabled`
(thanks @mayankshah1607)
* Upgraded the Prometheus Go client library to v1.2.1 (thanks @daxmc99!)
* Fixed an issue causing `tap`, `injector` and `sp-validator` to use
old certificates after `helm upgrade` due to not being restarted
* Fixed incomplete Swagger definition of the tap api, causing benign
error logging in the kube-apiserver
* Removed the destination container from the linkerd-controller deployment as
it now runs in the linkerd-destination deployment
* Allowed the control plane to be injected with the `debug` container
* Updated proxy image build script to support HTTP proxy options
(thanks @joakimr-axis!)
* Updated the CLI `doc` command to auto-generate documentation for the proxy
configuration annotations (thanks @StupidScience!)
* Added new `--trace-collector` and `--trace-collector-svc-account` flags to
`linkerd inject` that configures the OpenCensus trace collector used by
proxies in the injected workload (thanks @Pothulapati!)
* Added a new `--control-plane-tracing` flag to `linkerd install` that enables
distributed tracing in the control plane (thanks @Pothulapati!)
* Added distributed tracing support to the control plane (thanks
@Pothulapati!)
[`cert-manager`]: https://github.com/jetstack/cert-manager
Signed-off-by: Alex Leong <alex@buoyant.io>
This edge release is a release candidate for `stable-2.7` and fixes an issue
where the proxy could consume inappropriate amounts of memory.
* Proxy
* Fixed a bug in the proxy's logging subsystem that could cause the proxy to
consume memory until the process is OOMKilled, especially when the proxy was
configured to log diagnostic information
* Fixed properly emitting `grpc-status` headers when signaling proxy errors to
gRPC clients
* Internal
* Updated to Rust 1.40
* Updated certain proxy dependencies to address RUSTSEC-2019-0033,
RUSTSEC-2019-0034, and RUSTSEC-2020-02
Signed-off-by: Alex Leong <alex@buoyant.io>
# edge-20.1.3
An update to the Helm charts has caused a **breaking change** for users who
have installed Linkerd using Helm. In order to make the purpose of the
`NoInitContainer` parameter more explicit, it has been renamed to `CniEnabled`.
* CLI
* Introduced `linkerd check --pre --linkerd-cni-enabled`, used when the CNI
plugin is used, to check it has been properly installed before proceeding
with the control plane installation
* Added support for the `--as-group` flag so that users can impersonate
groups for Kubernetes operations (thanks @mayankshah160!)
* Controller
* Fixed an issue where an override of the Docker registry was not being
applied to debug containers (thanks @javaducky!)
* Added check for the Subject Alternate Name attributes to the API server
when access restrictions have been enabled (thanks @javaducky!)
* Added support for arbitrary pod labels so that users can leverage the
Linkerd provided Prometheus instance to scrape for their own labels
(thanks @daxmc99!)
* Fixed an issue with CNI config parsing
* Helm
* **Breaking change**: Renamed `NoInitContainer` parameter to `CniEnabled`
* Fixed an issue with `helm install` where the lists of ignored inbound and
outbound ports would not be reflected
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
## edge-20.1.3
* CLI
* Introduced `linkerd check --pre --linkerd-cni-enabled`, used when the CNI
plugin is used, to check it has been properly installed before proceeding
with the control plane installation
* Added support for the `--as-group` flag so that users can impersonate
groups for Kubernetes operations (thanks @mayankshah160!)
* Controller
* Fixed an issue where an override of the Docker registry was not being
applied to debug containers (thanks @javaducky!)
* Added check for the Subject Alternate Name attributes to the API server
when access restrictions have been enabled (thanks @javaducky!)
* Added support for arbitrary pod labels so that users can leverage the
Linkerd provided Prometheus instance to scrape for their own labels
(thanks @daxmc99!)
* Fixed an issue with CNI config parsing
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
## edge-20.1.2
* CLI
* Added HA specific checks to `linkerd check` to ensure that the `kube-system`
namespace has the `config.linkerd.io/admission-webhooks:disabled`
label set
* Fixed a problem causing the presence of unnecessary empty fields in
generated resource definitions (thanks @mayankshah1607)
* Proxy
* Fixed an issue that could cause the OpenCensus exporter to stall
* Internal
* Added validation to incoming sidecar injection requests that ensures
the value of `linkerd.io/inject` is either `enabled` or `disabled`
(thanks @mayankshah1607)
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
## edge-20.1.1
This edge release includes experimental improvements to the Linkerd proxy's
request buffering and backpressure infrastructure.
Additionally, we've fixed several bugs when installing Linkerd with Helm,
updated the CLI to allow using both port numbers _and_ port ranges with the
`--skip-inbound-ports` and `--skip-outbound-ports` flags, and fixed a dashboard
error that can occur if the dashboard is open in a browser while updating Linkerd.
**Note**: The `linkerd-proxy` version included with this release is more
experimental than usual. We'd love your help testing, but be aware that there
might be stability issues.
* CLI
* Added the ability to pass both port numbers and port ranges to
`--skip-inbound-ports` and `--skip-outbound-ports` (thanks to @javaducky!)
* Controller
* Fixed a race condition in the `linkerd-web` service
* Updated Prometheus to 2.15.2 (thanks @Pothulapati)
* Web UI
* Fixed an error when refreshing an already open dashboard when the Linkerd
version has changed
* Proxy
* Internal changes to the proxy's request buffering and backpressure
infrastructure
* Helm
* Fixed the `linkerd-cni` Helm chart not setting proper namespace annotations
and labels
* Fixed certificate issuance lifetime not being set when installing through
Helm
* More improvements to Helm best practices (thanks to @Pothulapati!)
* Changes for edge-19.12.3
Signed-off-by: Charles Pretzer <charles@buoyant.io>
* CHANGES.md updates based on feedback
Signed-off-by: Charles Pretzer <charles@buoyant.io>
* Fix flag name
Signed-off-by: Charles Pretzer <charles@buoyant.io>
cpretzer
Alex Leong
Zahari Dichev
Alejandro Pedraza
Kevin Leimkuhler
Eliza Weisman
Josh Soref
Oliver Gould
Ivan Sim