This release fixes an issue that could cause the OpenCensus exporter to
stall.
This release does NOT include the experimental changes from
v2.83.0-experimental.
---
* http: Use the endpoint type to inform URI normalization (linkerd/linkerd2-proxy#404)
* Remove clone in opencensus exporter to ensure task is notified (linkerd/linkerd2-proxy#405)
This is an experimental release that includes large changes to the
proxy's request buffering and backpressure infrastructure.
Please exercise caution before deploying this proxy version into mission
critical environments.
This release adds a defense mechanism to ensure that resolutions are
released when the associated balancer becomes idle and should have
been dropped from the proxy.
Furthermore, the proxy is now more selective as to which gRPC status
codes are considered "failures" in metrics.
---
* Classify some gRPC status codes as non-errors (linkerd/linkerd2-proxy#395)
* discover: Timeout stalled resolutions (linkerd/linkerd2-proxy#401)
v2.80.0 fixed a problem where the destination controller client's
connection receive window could become exhausted, preventing additional
updates from the controller. The connection window has been increased
from 64K to 1MB to prevent a single stalled stream from block others.
Furthermore, discovery for IP addresses has been disabled in the proxy,
as the control plane does not yet support these resolutions. This
additionally lessons the load on the destination controller client.
---
* profiles: Eagerly read profiles off the wire (linkerd/linkerd2-proxy#397)
* router: Ensure that the purge task completes (linkerd/linkerd2-proxy#396)
* app-core: Add `accept` context with peer addr (linkerd/linkerd2-proxy#398)
* Remove default for destination lookup subnets (linkerd/linkerd2-proxy#399)
* Configure the HTTP/2 connection window to 1MB (linkerd/linkerd2-proxy#400)
* proxy: v2.79.0
This release includes internal dependencies updates including the Rust
compiler and the proxy's load balancer.
No user-facing changes are anticipated.
---
* Update Rust to 1.39.0 (linkerd/linkerd2-proxy#391)
* Update tower-balance (linkerd/linkerd2-proxy#392)
* Make the router HTTP-agnostic (linkerd/linkerd2-proxy#394)
* Make fallback HTTP-agnostic (linkerd/linkerd2-proxy#393)
Signed-off-by: Alex Leong <alex@buoyant.io>
This release enables discovery for network address destinations. This
enables mesh identity for services like Prometheus that do pod-to-pod
communication without DNS names.
---
* make: Do not compile integration tests during packaging (linkerd/linkerd2-proxy#390)
* Resolve private IP addresses via the destination service (linkerd/linkerd2-proxy#388)
* internal: Decouple TCP forwarding from protocol dispatch (linkerd/linkerd2-proxy#389)
Signed-off-by: Alex Leong <alex@buoyant.io>
This change updates the internals of the proxy's client to the
Destination controller. Other than some minor fixes to the client's
backoff logic, no user-facing changes are expected.
* Split service discovery into composable components (linkerd/linkerd2-proxy#341)
* logging: update `tracing` and `tracing-subscriber` (linkerd/linkerd2-proxy#352)
* resolve: Do not send the 'k8s' scheme (linkerd/linkerd2-proxy#356)
### Summary
In order for Pods' tap servers to start authorizing tap clients, the tap
controller must open TLS connections so that it can identity itself to the
server.
This change introduces the use of `l5d-require-id` header on outbound tap
requests.
### Details
When tap requests are made by the tap controller, the `Authority` header is an
IP address. The proxy does not attempt to do service discovery on such requests
and therefore the connection is over plaintext. By introducing the
`l5d-require-id` header the proxy can require a server name on the connection.
This allows the tap controller to identity itself as the client making tap
requests. The name value for the header can be made from the Pod Spec and tap
request, so the change is rather minimal.
#### Proxy Changes
* Update h2 to v0.1.26
* Properly fall back in the dst_router (linkerd/linkerd2-proxy#291)
### Testing
Unit tests for the header have not been added mainly because [no test
infrastructure currently exists](065c221858/controller/tap/server_test.go (L241)) to mock proxy requests. After talking with
@siggy a little about this, it makes to do in a separate change at some point
when behavior like this cannot be reliably tested through integration tests
either.
Integration tests do test this well, and will continue to do once
linkerd/linkerd2-proxy#290 lands.
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Each time we update the proxy from the linkerd2-proxy repo, we make the
change slightly differently. The bin/git-commit-proxy-version does all the
steps needed to update the proxy version up to and including making a
commit to this repo.
The proxy version is now stored in a .proxy-version file and is
consumed directly by Dockerfile-proxy, which both simplifies the
Dockerfile and the update process.
This script formats commit messages and emits output as follows:
```
commit c05198a851f69bdc7007974a0ef1f4c01c98d0ce (HEAD -> ver/proxy-update)
Author: Oliver Gould <ver@buoyant.io>
Date: Thu Jul 11 17:23:05 2019 +0000
proxy: Update to linkerd/linkerd2-proxy#3a3ec3b
* linkerd/linkerd2-proxy#0cc58cd fallback: Clarify fallback layering (linkerd/linkerd2-proxy#288)
* linkerd/linkerd2-proxy#b71349a Replace `log` and `env-logger` with `tracing` and `tracing-fmt` (linkerd/linkerd2-proxy#277)
* linkerd/linkerd2-proxy#3a3ec3b Use a constant-time load balancer (linkerd/linkerd2-proxy#266)
diff --git a/.proxy-version b/.proxy-version
index f81f40de..d7faa12d 100644
--- a/.proxy-version
+++ b/.proxy-version
@@ -1 +1 @@
-05b012d
+3a3ec3b
```
Oliver Gould
Alex Leong
Zahari Dichev
Eliza Weisman
Kevin Leimkuhler
Ivan Sim