linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linkerd2/charts/linkerd2-cni
History
Alex Leong b9caae0cd9
stable-2.7.0 (#4019) 
## stable-2.7.0

This release adds support for integrating Linkerd's PKI with an external
certificate issuer such as [`cert-manager`] as well as streamlining the
certificate rotation process in general. For more details about cert-manager
and certificate rotation, see the
[docs](https://linkerd.io/2/tasks/use_external_certs/). This release also
includes performance improvements to the dashboard, reduced memory usage of the
proxy, various improvements to the Helm chart, and much much more.

To install this release, run: `curl https://run.linkerd.io/install | sh`

**Upgrade notes**: This release includes breaking changes to our Helm charts.
Please see the [upgrade instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-270).

**Special thanks to**: @alenkacz, @bmcstdio, @daxmc99, @droidnoob, @ereslibre,
@javaducky, @joakimr-axis, @JohannesEH, @KIVagant, @mayankshah1607,
@Pothulapati, and @StupidScience!

**Full release notes**:

* CLI
  * Updated the mTLS trust anchor checks to eliminate false positives caused by
    extra trailing spaces
  * Reduced the severity level of the Linkerd version checks, so that they
    don't fail when the external version endpoint is unreachable
    (thanks @mayankshah1607!)
  * Added a new `tap` APIService check to aid with uncovering Kubernetes API
    aggregatation layer issues (thanks @droidnoob!)
  * Introduced CNI checks to confirm the CNI plugin is installed and ready;
    this is done through `linkerd check --pre --linkerd-cni-enabled` before
    installation and `linkerd check` after installation if the CNI plugin is
    present
  * Added support for the `--as-group` flag so that users can impersonate
    groups for Kubernetes operations (thanks @mayankshah1607!)
  * Added HA specific checks to `linkerd check` to ensure that the `kube-system`
    namespace has the `config.linkerd.io/admission-webhooks:disabled`
    label set
  * Fixed a problem causing the presence of unnecessary empty fields in
    generated resource definitions (thanks @mayankshah1607)
  * Added the ability to pass both port numbers and port ranges to
    `--skip-inbound-ports` and `--skip-outbound-ports` (thanks to @javaducky!)
  * Increased the comprehensiveness of `linkerd check --pre`
  * Added TLS certificate validation to `check` and `upgrade` commands
  * Added support for injecting CronJobs and ReplicaSets, as well as the ability
    to use them as targets in the CLI subcommands
  * Introduced the new flags `--identity-issuer-certificate-file`,
    `--identity-issuer-key-file` and `identity-trust-anchors-file` to `linkerd
    upgrade` to support trust anchor and issuer certificate rotation
  * Added a check that ensures using `--namespace` and `--all-namespaces`
    results in an error as they are mutually exclusive
  * Added a `Dashboard.Replicas` parameter to the Linkerd Helm chart to allow
    configuring the number of dashboard replicas (thanks @KIVagant!)
  * Removed redundant service profile check (thanks @alenkacz!)
  * Updated `uninject` command to work with namespace resources
    (thanks @mayankshah1607!)
  * Added a new `--identity-external-issuer` flag to `linkerd install` that
    configures Linkerd to use certificates issued by an external certificate
    issuer (such as `cert-manager`)
  * Added support for injecting a namespace to `linkerd inject` (thanks
    @mayankshah1607!)
  * Added checks to `linkerd check --preinstall` ensuring Kubernetes Secrets
    can be created and accessed
  * Fixed `linkerd tap` sometimes displaying incorrect pod names for unmeshed
    IPs that match multiple running pods
  * Made `linkerd install --ignore-cluster` and `--skip-checks` faster
  * Fixed a bug causing `linkerd upgrade` to fail when used with
  `--from-manifest`
  * Made `--cluster-domain` an install-only flag (thanks @bmcstdio!)
  * Updated `check` to ensure that proxy trust anchors match configuration
       (thanks @ereslibre!)
  * Added condition to the `linkerd stat` command that requires a window size
    of at least 15 seconds to work properly with Prometheus
* Controller
  * Fixed an issue where an override of the Docker registry was not being
    applied to debug containers (thanks @javaducky!)
  * Added check for the Subject Alternate Name attributes to the API server
    when access restrictions have been enabled (thanks @javaducky!)
  * Added support for arbitrary pod labels so that users can leverage the
    Linkerd provided Prometheus instance to scrape for their own labels
    (thanks @daxmc99!)
  * Fixed an issue with CNI config parsing
  * Fixed a race condition in the `linkerd-web` service
  * Updated Prometheus to 2.15.2 (thanks @Pothulapati)
  * Increased minimum kubernetes version to 1.13.0
  * Added support for pod ip and service cluster ip lookups in the destination 
    service
  * Added recommended kubernetes labels to control-plane
  * Added the `--wait-before-exit-seconds` flag to linkerd inject for the proxy 
    sidecar to delay the start of its shutdown process (a huge commit from 
    @KIVagant, thanks!)
  * Added a pre-sign check to the identity service 
  * Fixed inject failures for pods with security context capabilities
  * Added `conntrack` to the `debug` container to help with connection tracking
    debugging
  * Fixed a bug in `tap` where mismatch cluster domain and trust domain caused
    `tap` to hang
  * Fixed an issue in the `identity` RBAC resource which caused start up errors
    in k8s 1.6 (thanks @Pothulapati!)
  * Added support for using trust anchors from an external certificate issuer
    (such as `cert-mananger`) to the `linkerd-identity` service
  * Added support for headless services (thanks @JohannesEH!)
* Helm
  * **Breaking change**: Renamed `noInitContainer` parameter to `cniEnabled`
  * **Breaking Change** Updated Helm charts to follow best practices (thanks
    @Pothulapati and @javaducky!)
  * Fixed an issue with `helm install` where the lists of ignored inbound and
    outbound ports would not be reflected
  * Fixed the `linkerd-cni` Helm chart not setting proper namespace annotations
    and labels
  * Fixed certificate issuance lifetime not being set when installing through
    Helm
  * Updated the helm build to retain previous releases
  * Moved CNI template into its own Helm chart
* Proxy
  * Fixed an issue that could cause the OpenCensus exporter to stall
  * Improved error classification and error responses for gRPC services
  * Fixed a bug where the proxy could stop receiving service discovery updates,
    resulting in 503 errors
  * Improved debug/error logging to include detailed contextual information
  * Fixed a bug in the proxy's logging subsystem that could cause the proxy to
    consume memory until the process is OOM killed, especially when the proxy was
    configured to log diagnostic information
  * Updated proxy dependencies to address RUSTSEC-2019-0033, RUSTSEC-2019-0034,
    and RUSTSEC-2020-02
* Web UI
  * Fixed an error when refreshing an already open dashboard when the Linkerd
    version has changed
  * Increased the speed of the dashboard by pausing network activity when the 
    dashboard is not visible to the user
  * Added support for CronJobs and ReplicaSets, including new Grafana dashboards
    for them
  * Added `linkerd check` to the dashboard in the `/controlplane` view
  * Added request and response headers to the `tap` expanded view in the
    dashboard
  * Added filter to namespace select button
  * Improved how empty tables are displayed
  * Added `Host:` header validation to the `linkerd-web` service, to protect
    against DNS rebinding attacks
  * Made the dashboard sidebar component responsive
  * Changed the navigation bar color to the one used on the [Linkerd](https://linkerd.io/) website
* Internal
  * Added validation to incoming sidecar injection requests that ensures
    the value of `linkerd.io/inject` is either `enabled` or `disabled`
    (thanks @mayankshah1607)
  * Upgraded the Prometheus Go client library to v1.2.1 (thanks @daxmc99!)
  * Fixed an issue causing `tap`, `injector` and `sp-validator` to use 
    old certificates after `helm upgrade` due to not being restarted
  * Fixed incomplete Swagger definition of the tap api, causing benign
    error logging in the kube-apiserver
  * Removed the destination container from the linkerd-controller deployment as
    it now runs in the linkerd-destination deployment
  * Allowed the control plane to be injected with the `debug` container
  * Updated proxy image build script to support HTTP proxy options
    (thanks @joakimr-axis!)
  * Updated the CLI `doc` command to auto-generate documentation for the proxy
    configuration annotations (thanks @StupidScience!)
  * Added new `--trace-collector` and `--trace-collector-svc-account` flags to
    `linkerd inject` that configures the OpenCensus trace collector used by
    proxies in the injected workload (thanks @Pothulapati!)
  * Added a new `--control-plane-tracing` flag to `linkerd install` that enables
    distributed tracing in the control plane (thanks @Pothulapati!)
  * Added distributed tracing support to the control plane (thanks
    @Pothulapati!)

[`cert-manager`]: https://github.com/jetstack/cert-manager

Signed-off-by: Alex Leong <alex@buoyant.io>
 		2020-02-06 10:58:59 -08:00
..
templates Fix CNI config parsing (#3953) 2020-01-23 09:55:04 -08:00
.helmignore Move CNI template to helm (#3581) 2019-12-10 13:21:28 +02:00
Chart.yaml Increase minimum k8s version to 1.13 (#3845) 2019-12-19 09:26:08 -08:00
OWNERS Move CNI template to helm (#3581) 2019-12-10 13:21:28 +02:00
README.md Add checks for CNI plugin (#3903) 2020-01-17 12:11:19 +02:00
requirements.lock Fix CNI config parsing (#3953) 2020-01-23 09:55:04 -08:00
requirements.yaml Fix CNI config parsing (#3953) 2020-01-23 09:55:04 -08:00
values.yaml stable-2.7.0 (#4019) 2020-02-06 10:58:59 -08:00

README.md

Linkerd2-cni Helm Chart

Linkerd is a service mesh, designed to give platform-wide observability, reliability, and security without requiring configuration or code changes. The Linkerd CNI plugin takes care of setting up your pod's network so incoming and outgoing traffic is proxied through the data plane.

Configuration

The following table lists the configurable parameters of the Linkerd2-cni chart and their default values.

Parameter Description Default
cniPluginImage Docker image for the CNI plugin gcr.io/linkerd-io/cni-plugin
cniPluginVersion Tag for the CNI container Docker image latest version
cniResourceAnnotation CNI resource annotation. Do not edit linkerd.io/cni-resource
controllerNamespaceLabel Control plane label. Do not edit linkerd.io/control-plane-ns
createdByAnnotation Annotation label for the proxy create. Do not edit. linkerd.io/created-by
destCNIBinDir Directory on the host where the CNI plugin binaries reside /opt/cni/bin
destCNINetDir Directory on the host where the CNI configuration will be placed /etc/cni/net.d
ignoreInboundPorts Inbound ports the proxy should ignore
ignoreOutboundPorts Outbound ports the proxy should ignore
inboundProxyPort Inbound port for the proxy container 4143
logLevel Log level for the CNI plugin info
namespace CNI plugin plane namespace linkerd-cni
outboundProxyPort Outbound port for the proxy container 4140
portsToRedirect Ports to redirect to proxy
proxyUID User id under which the proxy shall be ran 2102
useWaitFlag Configures the CNI plugin to use the -w flag for the iptables command false