## edge-19.11.3
* CLI
* Added a check that ensures using `--namespace` and `--all-namespaces`
results in an error as they are mutually exclusive
* Internal
* Fixed an issue causing `tap`, `injector` and `sp-validator` to use
old certificates after `helm upgrade` due to not being restarted
* Fixed incomplete Swagger definition of the tap api, causing benign
error logging in the kube-apiserver
Signed-off-by: zaharidichev <zaharidichev@gmail.com>
Follow up from #3730, GitHub Actions was failing in the following ways:
- booting 5 parallel kind clusters in the matrix job was overloading the
Docker host
- `~/.ssh/known_hosts` file was empty following gcloud sdk installation
Four changes to mitigate these issues:
- generate `known_hosts` from a secret, rather than an `ssh-keyscan`
command
- generate `~/.ssh/config` from a secret
- set `max-parallel: 3` on the matrix job
- install gcloud sdk prior to Docker ssh setup
TODO:
- remove `DOCKER_ADDRESS`, `DOCKER_HOST_PRIVATE_KEY`
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
- Added cleanup step at the end of all integration tests.
- Disable external_issuer_integration_tests in cloud_tests due to
namespace issue. Running this via `kind` tests is sufficient for now.
- Set a flakey test to `Skip`, relates to #3332.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
## edge-19.11.2
* CLI
* Added a `Dashboard.Replicas` parameter to the Linkerd Helm chart to allow
configuring the number of dashboard replicas (thanks @KIVagant!)
* Removed redundant service profile check (thanks @alenkacz!)
* Web UI
* Added `linkerd check` to the dashboard in the `/controlplane` view
* Added request and response headers to the `tap` expanded view in the
dashboard
* Internal
* Removed the destination container from the linkerd-controller deployment as
it now runs in the linkerd-destination deployment
* Upgraded Go to version 1.13.4
Signed-off-by: Alex Leong <alex@buoyant.io>
https://github.com/linkerd/linkerd2/pull/3693 caused the proxy to start resolving private IP addresses with the destination service. However, the destination service does not support IP lookups and returns failures for these lookups. This negatively affects the destination service success rate and can cause this test to fail. We disable this test for now until the destination service supports IP lookups.
Signed-off-by: Alex Leong <alex@buoyant.io>
* proxy: v2.79.0
This release includes internal dependencies updates including the Rust
compiler and the proxy's load balancer.
No user-facing changes are anticipated.
---
* Update Rust to 1.39.0 (linkerd/linkerd2-proxy#391)
* Update tower-balance (linkerd/linkerd2-proxy#392)
* Make the router HTTP-agnostic (linkerd/linkerd2-proxy#394)
* Make fallback HTTP-agnostic (linkerd/linkerd2-proxy#393)
Signed-off-by: Alex Leong <alex@buoyant.io>
This PR upgrades yarn dependencies, including bumping the `es-abstract` package (a sub-dependency of some of our packages) from `1.14.0` to `1.16.0` which should resolve the 404 from yarn and enable our branch to pass CI. The only file change is `yarn.lock`. The change was made by running `yarn upgrade` from `/web/app`.
To test, checkout this branch, run `bin/web setup` & `bin/web dev`, then test `localhost:7777` to ensure the dashboard is running normally.
* Traffic split integration test
Signed-off-by: zaharidichev <zaharidichev@gmail.com>
* Address comments
Signed-off-by: zaharidichev <zaharidichev@gmail.com>
* Display placeholder when there is no basic stats data
Signed-off-by: zaharidichev <zaharidichev@gmail.com>
* Replaced `uuid` with `uid` from linkerd-config resource
Fixes#3621
Removed the old `uuid` for identifying linkerd installations, and
replaced it with the `uid` property from the `linkerd-config` ConfigMap.
I tested that this `uid` remains the same by updating the config and
also upgrading linkerd, using both the CLI and Helm.
Note that this required granting `linkerd-web` RBAC access to the
`linkerd-config` Config.
I also added an integration test to verify the stability of the uid.
This release enables discovery for network address destinations. This
enables mesh identity for services like Prometheus that do pod-to-pod
communication without DNS names.
---
* make: Do not compile integration tests during packaging (linkerd/linkerd2-proxy#390)
* Resolve private IP addresses via the destination service (linkerd/linkerd2-proxy#388)
* internal: Decouple TCP forwarding from protocol dispatch (linkerd/linkerd2-proxy#389)
Signed-off-by: Alex Leong <alex@buoyant.io>
The edges integration test can fail when more edges are added to the Linked namespace due to https://github.com/linkerd/linkerd2/issues/3706. We disable this test until that issue can be resolved.
Signed-off-by: Alex Leong <alex@buoyant.io>
Fixes#3566
As explained in #3566, as of go 1.13 there's a strict check that ensures a dependency's timestamp matches it's sha (as declared in go.mod). Our smi-sdk dependency has a problem with that that got resolved later on, but more work would be required to upgrade that dependency. In the meantime a quick pair of replace statements at the bottom of go.mod fix the issue.
Closes#3612. This PR adds tap headers to the dashboard. Headers are displayed
when the user clicks on the "expand view" icon of each tap row.
Signed-off-by: Cintia Sanchez Garcia <cynthiasg@icloud.com>
`linkerd check` can now be run from the dashboard in the `/controlplane` view.
Once the check results are received, they are displayed in a modal in a similar
style to the CLI output.
Closes#3613
* Fixed bad identity string for target pod in tap
Fixes#3506
Was using the cluster domain instead of the trust domain, which results
in an error when those domains differ.
* Add support for uninject command to uninject namespace configs
* Add relevant unit tests in cli/cmd/uninject_test.go
Signed-off-by: Mayank Shah <mayankshah1614@gmail.com>
* rework annotations doc generation from godoc parsing to map[string]string and get rid of unused yaml tags
* move annotations doc function from pkg/k8s to cli/cmd
Signed-off-by: StupidScience <tonysignal@gmail.com>
This patch sends the proxy settings to docker build if present.
Without this, the docker build will fail on apt-get update on a
system that is behind a proxy.
Change-Id: I3fcbad4d9a9c30e5f0a00f03c6d8629ed8cc97b0
Signed-off-by: Joakim Roubert <joakimr@axis.com>
* Add cmd to inject debug sidecar for l5d components only
Signed-off-by: zaharidichev <zaharidichev@gmail.com>
* Revert "Add cmd to inject debug sidecar for l5d components only"
This reverts commit 50b8b3577e.
Signed-off-by: zaharidichev <zaharidichev@gmail.com>
* Stop uninjecting metadata from control plane components
Signed-off-by: zaharidichev <zaharidichev@gmail.com>
* Ensure inject can be run on control plane components only if --manual is present
Signed-off-by: zaharidichev <zaharidichev@gmail.com>
## edge-19.10.5
This edge release adds support for integrating Linkerd's public-key
infrastructure with an external certificate issuer such as [`cert-manager`],
adds distributed tracing support to the Linkerd control plane, and adds
protection against DNS rebinding attacks to the web dashboard. In addition, it
includes several improvements to the Linkerd CLI.
* CLI
* Added a new `--identity-external-issuer` flag to `linkerd install` that
configures Linkerd to use certificates issued by an external certificate
issuer (such as `cert-manager`)
* Added support for injecting a namespace to `linkerd inject` (thanks
@mayankshah1607!)
* Added checks to `linkerd check --preinstall` ensuring Kubernetes Secrets
can be created and accessed
* Fixed `linkerd tap` sometimes displaying incorrect pod names for unmeshed
IPs that match multiple running pods
* Controller
* Added support for using trust anchors from an external certificate issuer
(such as `cert-mananger`) to the `linkerd-identity` service
* Web UI
* Added `Host:` header validation to the `linkerd-web` service, to protect
against DNS rebinding attacks
* Internal
* Added new `--trace-collector` and `--trace-collector-svc-account` flags to
`linkerd inject` that configures the OpenCensus trace collector used by
proxies in the injected workload (thanks @Pothulapati!)
* Added a new `--control-plane-tracing` flag to `linkerd install` that enables
distributed tracing in the control plane (thanks @Pothulapati!)
* Added distributed tracing support to the control plane (thanks
@Pothulapati!)
Also, thanks to @joakimr-axis for several fixes and improvements to internal
build scripts!
* DNS rebinding protection for the dashboard
Fixes#3083 and replacement for #3629
This adds a new parameter to the `linkerd-web` container `enforcedHost`
that establishes the regexp that the Host header must enforce, otherwise
it returns an error.
This parameter will be hard-coded for now, in `linkerd-web`'s deployment
yaml.
Note this also protects the dashboard because that's proxied from
`linkerd-web`.
Also note this means the usage of `linkerd dashboard --address` will
require the user to change that parameter in the deployment yaml (or
have Kustomize do it).
How to test:
- Run `linkerd dashboard`
- Go to http://rebind.it:8080/manager.html and change the target port to
50750
- Click on “Start Attack” and wait for a minute.
- The response from the dashboard will be returned, showing an 'Invalid
Host header' message returned by the dashboard. If the attack would have
succeeded then the dashboard's html would be shown instead.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
Handling of whitespace paths was not fully implemented; this patch adds
the missing pieces. Also, only use bash where bash-specific
functionality is used/needed.
Signed-off-by: Joakim Roubert <joakimr@axis.com>
Add an integration test which exercises the behavior when one meshed pod connects to another meshed pod by pod ip address.
The current behavior is that the Linkerd proxy will not do any lookup against the destination service for this kind of connection and will proxy directly to the SO_ORIG_DST. This means that it will not have the identity metadata necessary to TLS the connection, and the connection will not be present in the `linkerd edges` command output. This test validates that behavior.
The purpose of this test is to set the stage for future work which will allow the Linkerd proxy to TLS this type of connection and display it in `linkerd edges`. The assertions in this test will be updated as part of that work.
This test will be run as part of the integration test suite. It can also be run directly:
```
go test --failfast --mod=readonly test/install_test.go --linkerd=(pwd)"/bin/linkerd" --k8s-context="$CTX" --integration-tests
go test -v --mod=readonly test/edges/edges_test.go --linkerd=(pwd)"/bin/linkerd" --k8s-context="$CTX" --integration-tests
```
Signed-off-by: Alex Leong <alex@buoyant.io>
* Add inject support for namespaces(Fix#3255)
* Add relevant unit tests (including overridden annotations)
Signed-off-by: Mayank Shah <mayankshah1614@gmail.com>
* fetch-proxy: Make POSIX compatible
* fetch-proxy: Update old comment to match current behavior
Getting the directory where the script resides can easily be done
without bash-specific functionality, and hence the script can be POSIX
compatible.
Change-Id: I30bd69dccbc950bdce3dc5da4bea279305a7b1f9
Signed-off-by: Joakim Roubert <joakimr@axis.com>
Getting the directory where the script resides can easily be done
without bash-specific functionality, and hence the script can be POSIX
compatible. Also adding the missing pieces for handling paths with
whitespaces.
Change-Id: Ie2e867929be0322e476342438d9cf4a3d36f58f1
Signed-off-by: Joakim Roubert <joakimr@axis.com>
Zahari Dichev
Cynthia S. Garcia
Andrew Seigner
Alex Leong
Oliver Gould
Alejandro Pedraza
Carol A. Scott
Alena Varkockova
Sergio C. Arteaga
Eugene Glotov
Ivan Sim
Tarun Pothulapati
cpretzer
Mayank Shah
StupidScience
Joakim Roubert
Eliza Weisman
William Morgan
Joakim Roubert