-
edge-21.1.3fcb71de4 · ·
This edge release improves proxy diagnostics and recovery in situations where the proxy is temporarily unable to route requests. Additionally, the `viz` and `multicluster` CLI sub-commands have been updated for consistency. Full release notes: * Added Helm-style `set`, `set-string`, `values`, `set-files` customization flags for the `linkerd install` and `linkerd multicluster install` commands * Fixed an issue where `linkerd metrics` could return metrics for the incorrect set of pods when there are overlapping label selectors * Added tap-injector to linkerd-viz which is responsible for adding the tap service name environment variable to the Linkerd proxy container * Improved diagnostics when the proxy is temporarily unable to route requests * Made proxy recovery for a service more robust when the proxy is unable to route requests, even when new requests are being received * Added `client` and `server` prefixes in the proxy logs for socket-level errors to indicate which side of the proxy encountered the error * Improved jaeger-injector reliability in environments with many resources by adding watch RBAC permissions * Added check to confirm whether the jaeger-injector pod is in running state (thanks @yashvardhan-kukreja!) * Fixed a crash in the destination controller when EndpointSlices are enabled (thanks @oleh-ozimok!) * Added a `linkerd viz check` sub-command to verify the states of the `linkerd-viz` components * Added a `log-format` flag to optionally output the control plane component log output as JSON (thanks @mo4islona!) * Updated the logic in the `metrics` and `profile` subcommands to use the `namespace` specified by the `current-context` of the KUBECONFIG so that it is no longer necessary to use the `--namespace` flag to query resources in the current namespace. Queries for resources in namespaces other than the current namespace still require the `--namespace` flag * Added new pod 'linkerd-metrics-api' set up by `linkerd viz install` that manages all functionality dependent on Prometheus, thus removing most of the dependencies on Prometheus from the linkerd core installation * Removed need to have linkerd-viz installed for the `linkerd multicluster check` command to properly work.
-
edge-21.1.23365e98f · ·
This edge release continues the work on decoupling non-core Linkerd components. Commands that use the viz extension i.e, `dashboard`, `edges`, `routes`, `stat`, `tap` and `top` are moved to the `viz` sub-command. These commands are still available under root but are marked as deprecated and will be removed in a later stable release. This release also upgrades the proxy's dependencies to the Tokio v1 ecosystem. * Moved sub-commands that use the viz extension under `viz` * Started ignoring pods with `Succeeded` status when watching IP addresses in destination. This allows the re-use of IPs of terminated pods * Support Bring your own Jaeger use-case by adding `collector.jaegerAddr` in the Jaeger extension. * Fixed an issue with the generation of working manifests in the `podAntiAffinity` use-case * Added support for the modification of proxy resources in the viz extension through `values.yaml` in Helm and flags in CLI. * Improved error reporting for port-forward logic with namespace and pod data, used across dashboard, checks, etc (thanks @piyushsingariya) * Added support to disable the rendering of `linkerd-viz` namespace resource in the viz extension (thanks @nlamirault) * Made service-profile generation work offline with `--ignore-cluster` flag (thanks @piyushsingariya) * Upgraded the proxy's dependencies to the Tokio v1 ecosystem
-
stable-2.9.2d5e9d56c · ·
This stable release fixes an issue that stops traffic to a pod when there is an IP address conflict with another pod that is not in a running state. It also fixes an upgrade issue when using HA that would lead to values being overridden.
-
edge-21.1.1308a1f3f · ·
This edge release introduces a new "opaque transport" feature that allows the proxy to securely transport server-speaks-first and otherwise opaque TCP traffic. Using the `config.linkerd.io/opaque-ports` annotation on pods and namespaces, users can configure ports that should skip the proxy's protocol detection. Additionally, a new `linkerd-viz` extension has been introduced that separates the installation of the Grafana, Prometheus, web, and tap components. This extension closely follows the Jaeger and multicluster extensions; users can `install` and `uninstall` with the `linkerd viz ..` command as well as configure for HA with the `--ha` flag. The `linkerd viz install` command does not have any cli flags to customize the install directly, but instead follows the Helm way of customization by using flags such as `set`, `set-string`, `values`, `set-files`. Finally, a new `/shutdown` admin endpoint that may only be accessed over the loopback network has been added. This allows batch jobs to gracefully terminate the proxy on completion. The `linkerd-await` utility can be used to automate this. * Added a new `linkerd multicluster check` command to validate that the `linkerd-multicluster` extension is working correctly * Fixed description in the `linkerd edges` command (thanks @jsoref!) * Moved the Grafana, Prometheus, web, and tap components into a new Viz chart, following the same extension model that multicluster and Jaeger follow * Introduced a new "opaque transport" feature that allows the proxy to securely transport server-speaks-first and otherwise opaque TCP traffic * Removed the check comparing the `ca.crt` field in the identity issuer secret and the trust anchors in the Linkerd config; these values being different is not a failure case for the `linkerd check` command (thanks @cypherfox!) * Removed the Prometheus check from the `linkerd check` command since it now depends on a component that is installed with the Viz extension * Fixed error messages thrown by the cert checks in `linkerd check` (thanks @pradeepnnv!) * Added PodDisruptionBudgets to the control plane components so that they cannot be all terminated at the same time during disruptions (thanks @tustvold!) * Fixed an issue that displayed the wrong `linkerd.io/proxy-version` when it is overridden by annotations (thanks @mateiidavid!) * Added support for custom registries in the `linkerd-viz` helm chart (thanks @jimil749!) * Renamed `proxy-mutator` to `jaeger-injector` in the `linkerd-jaeger` extension * Added a new `/shutdown` admin endpoint that may only be accessed over the loopback network allowing batch jobs to gracefully terminate the proxy on completion * Introduced the `linkerd identity` command, used to fetch the TLS certificates for injected pods (thanks @jimil749) * Fixed an issue with the CNI plugin where it was incorrectly terminating and emitting error events (thanks @mhulscher!) * Re-added support for non-LoadBalancer service types in the `linkerd-multicluster` extension
-
edge-20.12.4da3195f2 · ·
This edge release adds support for the `config.linkerd.io/opaque-ports` annotation on pods and namespaces, to configure ports that should skip the proxy's protocol detection. In addition, it adds new CLI commands related to the `linkerd-jaeger` extension, fixes bugs in the CLI `install` and `upgrade` commands and Helm charts, and fixes a potential false positive in the proxy's HTTP protocol detection. Finally, it includes improvements in proxy performance and memory usage, including an upgrade for the proxy's dependency on the Tokio async runtime. * Added support for the `config.linkerd.io/opaque-ports` annotation on pods and namespaces, to indicate to the proxy that some ports should skip protocol detection * Fixed an issue where `linkerd install --ha` failed to honor flags * Fixed an issue where `linkerd upgrade --ha` can override existing configs * Added missing label to the `linkerd-config-overrides` secret to avoid breaking upgrades performed with the help of `kubectl apply --prune` * Added a missing icon to Jaeger Helm chart * Added new `linkerd jaeger check` CLI command to validate that the `linkerd-jaeger` extension is working correctly * Added new `linkerd jaeger uninstall` CLI command to print the `linkerd-jaeger` extension's resources so that they can be piped into `kubectl delete` * Fixed an issue where the `linkerd-cni` daemgitonset may not be installed on all intended nodes, due to missing tolerations to the `linkerd-cni` Helm chart (thanks @rish-onesignal!) * Fixed an issue where the `tap` APIServer would not refresh its certs automatically when provided externally—like through cert-manager * Changed the proxy's cache eviction strategy to reduce memory consumption, especially for busy HTTP/1.1 clients * Fixed an issue in the proxy's HTTP protocol detection which could cause false positives for non-HTTP traffic * Increased the proxy's default dispatch timeout to 5 seconds to accomodate connection pools which might open conenctions without immediately making a request * Updated the proxy's Tokio dependency to v0.3
-
edge-20.12.3ce9d1335 · ·
This edge release is functionally the same as `edge-20.12.2`. It fixes an issue that prevented the release build from occurring.
-
edge-20.12.2b72b2d14 · ·
* Fixed an issue where the `proxy-injector` and `sp-validator` did not refresh their certs automatically when provided externally—like through cert-manager * Added support for overrides flags to the `jaeger install` command to allow setting Helm values when installing the Linkerd-jaeger extension * Added missing Helm values to the multicluster chart (thanks @DaspawnW!) * Moved tracing functionality to the `linkerd-jaeger` extension * Fixed various issues in developer shell scripts (thanks @joakimr-axis!) * Fixed an issue where `install --ha` was only partially applying the high availability config * Updated RBAC API versions in the CNI chart (thanks @glitchcrab!) * Fixed an issue where TLS credentials are changed during upgrades, but the Linkerd webhooks would not restart, leaving them to use older credentials and fail requests * Stopped publishing the multicluster link chart as its primary use case is in the `multicluster link` command and not being installed through Helm * Added service mirror error logs for when the multicluster gateway's hostname cannot be resolved.
-
stable-2.9.1c3cb84a6 · ·
## stable-2.9.1 This stable release contains a number of proxy enhancements: better support for high-traffic workloads, improved performance by eliminating unnecessary endpoint resolutions for TCP traffic and properly tearing down serverside connections when errors occur, and reduced memory consumption on proxies which maintain many idle connections (such as Prometheus' proxy). On the CLI and control plane sides, it relaxes checks on root and intermediate certificates (following X509 best practices), and fixes two issues: one that prevented installation of the control plane into a custom namespace and one which failed to update endpoint information when a headless service was modified. * Proxy: * Addressed some issues reported around clients seeing max-concurrency errors by increasing the default in-flight request limit to 100K pending requests * Reduced the default idle connection timeout to 5s for outbound clients and for inbound clients to reduce the proxy's memory footprint, especially on Prometheus instances * Fixed an issue where the proxy did not receive updated endpoint information when a headless service was modified * Added HTTP/2 keepalive PING frames * Removed logic to avoid redundant TCP endpoint resolution * Fixed an issue where serverside connections were not torn down when an error occurred * CLI / Helm / Control Plane: * Fixed a CLI issue where the `linkerd-namespace` flag was not honored when passed to the `install` and `upgrade` commands * Fixed installing HA through the CLI (`linkerd install --ha`) that wasn't honoring some of the default settings found in `values-ha.yml` * Force the webhook pods (proxy-injector, sp-validator and tap) to be restarted when upgrading through the CLI, if a secret they rely on changes * Fixed multicluster installation using Helm * Updated `linkerd check` so that it doesn't attempt to validate the subject alternative name (SAN) on root and intermediate certificates. SANs for leaf certificates will continue to be validated * Fixed an issue in the destination service where endpoints always included a protocol hint, regardless of the controller label being present or not * Removed the `get` and `logs` command from the CLI * No longer panic in rare cases when `linkerd-config` doesn't have an entry for `Global` configs (thanks @hodbn!)
-
edge-20.12.18ad546b3 · ·
This edge release continues the work of decoupling non-core Linkerd components by moving more tracing related functionality into the Linkerd-jaeger extension. * Continued work on moving tracing functionality from the main control plane into the `linkerd-jaeger` extension * Fixed a potential panic in the proxy when looking up a socket's peer address while under high load * Added automatic readme generation for charts (thanks @GMarkfjard!) * Fixed zsh completion for the CLI (thanks @jiraguha!) * Added support for multicluster gateways of types other than LoadBalancer (thanks @DaspawnW!)
-
edge-20.11.562e208b9 · ·
## edge-20.11.5 This edge release improves the proxy's support high-traffic workloads. It also contains the first steps towards decoupling non-core Linkerd components, the first iteration being a new `linkerd jaeger` sub-command for installing tracing. Please note this is still a work in progress. * Addressed some issues reported around clients seeing max-concurrency errors by increasing the default in-flight request limit to 100K pending requests * Have the proxy appropriately set `content-type` when synthesizing gRPC error responses * Bumped the `proxy-init` image to `v1.3.8` which is based off of `buster-20201117-slim` to reduce potential security vulnerabilities * No longer panic in rare cases when `linkerd-config` doesn't have an entry for `Global` configs (thanks @hodbn!) * Work in progress: the `/jaeger` directory now contains the charts and commands for installing the tracing component.
-
edge-20.11.49a520ec2 · ·
* Fixed an issue in the destination service where endpoints always included a protocol hint, regardless of the controller label being present or not
-
edge-20.11.3c0a64946 · ·
This edge release improves support for CNI by properly handling parameters passed to the `nsenter` command, relaxes checks on root and intermediate certificates (following X509 best practices), and fixes two issues: one that prevented installation of the control plane into a custom namespace and one which failed to update endpoint information when a headless service is modified. This release also improves linkerd proxy performance by eliminating unnecessary endpoint resolutions for TCP traffic and properly tearing down serverside connections when an errors occur. * Added HTTP/2 keepalive PING frames * Removed logic to avoid redundant TCP endpoint resolution * Fixed an issue where serverside connections where not torn down when an error occurs * Updated `linkerd check` so that it doesn't attempt to validate the subject alternative name (SAN) on root and intermediate certificates. SANs for leaf certificates will continue to be validated * Fixed a CLI issue where the `linkerd-namespace` flag is not honored when passed to the `install` and `upgrade` commands * Fixed an issue where the proxy does not receive updated endpoint information when a headless service is modified * Updated the control plane Docker images to use `buster-20201117-slim` to reduce potential security vulnerabilities * Updated the proxy-init container to `v1.3.7` which fixes CNI issues in certain environments by properly parsing `nsenter` args
-
edge-20.11.21a91f6b0 · ·
This edge release reduces memory consumption of Linkerd proxies which maintain many idle connections (such as Prometheus). It also removes some obsolete commands from the CLI and allows setting custom annotations on multicluster gateways. * Reduced the default idle connection timeout to 5s for outbound clients and 20s for inbound clients to reduce the proxy's memory footprint, especially on Prometheus instances * Added support for setting annotations on the multicluster gateway in Helm which allows setting the load balancer as internal (thanks @shaikatz!) * Removed the `get` and `logs` command from the CLI
-
stable-2.9.02ff70d4c · ·
## stable-2.9.0 This release extends Linkerd's zero-config mutual TLS (mTLS) support to all TCP connections, allowing Linkerd to transparently encrypt and authenticate all TCP connections in the cluster the moment it's installed. It also adds ARM support, introduces a new multi-core proxy runtime for higher throughput, adds support for Kubernetes service topologies, and lots, lots more, as described below: * Proxy * Performed internal improvements for lower latencies under high concurrency * Reduced performance impact of logging, especially when the `debug` or `trace` log levels are disabled * Improved error handling for DNS errors encountered when discovering control plane addresses; this can be common during installation before all components have been started, allowing linkerd to continue to operate normally in HA during node outages * Control Plane * Added support for [topology-aware service routing](https://kubernetes.io/docs/concepts/services-networking/service-topology/) to the Destination controller; when providing service discovery updates to proxies the Destination controller will now filter endpoints based on the service's topology preferences * Added support for the new Kubernetes [EndpointSlice](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) resource to the Destination controller; Linkerd can be installed with `--enable-endpoint-slices` flag to use this resource rather than the Endpoints API in clusters where this new API is supported * Dashboard * Added new Spanish translations (please help us translate into your language!) * Added new section for exposing multicluster gateway metrics * CLI * Renamed the `--addon-config` flag to `--config` to clarify this flag can be used to set any Helm value * Added fish shell completions to the `linkerd` command * Multicluster * Replaced the single `service-mirror` controller with separate controllers that will be installed per target cluster through `linkerd multicluster link` * Changed the mechanism for mirroring services: instead of relying on annotations on the target services, now the source cluster should specify which services from the target cluster should be exported by using a label selector * Added support for creating multiple service accounts when installing multicluster with Helm to allow more granular revocation * Added a multicluster `unlink` command for removing multicluster links * Prometheus * Moved Linkerd's bundled Prometheus into an add-on (enabled by default); this makes the Linkerd Prometheus more configurable, gives it a separate upgrade lifecycle from the rest of the control plane, and allows users to disable the bundled Prometheus instance * The long-awaited Bring-Your-Own-Prometheus case has been finally addressed: added `global.prometheusUrl` to the Helm config to have linkerd use an external Prometheus instance instead of the one provided by default * Added an option to persist data to a volume instead of memory, so that historical metrics are available when Prometheus is restarted * The helm chart can now configure persistent storage and limits * Other * Added a new `linkerd.io/inject: ingress` annotation and accompanying `--ingress` flag to the `inject` command, to configure the proxy to support service profiles and enable per-route metrics and traffic splits for HTTP ingress controllers * Changed the type of the injector and tap API secrets to `kubernetes.io/tls` so they can be provisioned by cert-manager * Changed default docker image repository to `ghcr.io` from `gcr.io`; **Users who pull the images into private repositories should take note of this change** * Introduced support for authenticated docker registries * Simplified the way that Linkerd stores its configuration; configuration is now stored as Helm values in the `linkerd-config` ConfigMap * Added support for Helm configuration of per-component proxy resources requests This release includes changes from a massive list of contributors. A special thank-you to everyone who helped make this release possible: [Abereham G Wodajie](https://github.com/Abrishges), [Alexander Berger](https://github.com/alex-berger), [Ali Ariff](https://github.com/aliariff), [Arthur Silva Sens](https://github.com/ArthurSens), [Chris Campbell](https://github.com/campbel), [Daniel Lang](https://github.com/mavrick), [David Tyler](https://github.com/DaveTCode), [Desmond Ho](https://github.com/DesmondH0), [Dominik Münch](https://github.com/muenchdo), [George Garces](https://github.com/jgarces21), [Herrmann Hinz](https://github.com/HerrmannHinz), [Hu Shuai](https://github.com/hs0210), [Jeffrey N. Davis](https://github.com/penland365), [Joakim Roubert](https://github.com/joakimr-axis), [Josh Soref](https://github.com/jsoref), [Lutz Behnke](https://github.com/cypherfox), [MaT1g3R](https://github.com/MaT1g3R), [Marcus Vaal](https://github.com/mvaal), [Markus](https://github.com/mbettsteller), [Matei David](https://github.com/mateiidavid), [Matt Miller](https://github.com/mmiller1), [Mayank Shah](https://github.com/mayankshah1607), [Naseem](https://github.com/naseemkullah), [Nil](https://github.com/c-n-c), [OlivierB](https://github.com/olivierboudet), [Olukayode Bankole](https://github.com/rbankole), [Paul Balogh](https://github.com/javaducky), [Rajat Jindal](https://github.com/rajatjindal), [Raphael Taylor-Davies](https://github.com/tustvold), [Simon Weald](https://github.com/glitchcrab), [Steve Gray](https://github.com/steve-gray), [Suraj Deshmukh](https://github.com/surajssd), [Tharun Rajendran](https://github.com/tharun208), [Wei Lun](https://github.com/WLun001), [Zhou Hao](https://github.com/zhouhao3), [ZouYu](https://github.com/Hellcatlk), [aimbot31](https://github.com/aimbot31), [iohenkies](https://github.com/iohenkies), [memory](https://github.com/memory), and [tbsoares](https://github.com/tbsoares)
-
edge-20.11.1dc6e2114 · ·
This edge supersedes edge-20.10.6 as a release candidate for stable-2.9.0. * Fixed issue where the `check` command would error when there is no Prometheus configured * Fixed recent regression that caused multicluster on EKS to not work properly * Changed the `check` command to warn instead of error when webhook certificates are near expiry * Added the `--ingress` flag to the `inject` command which adds the recently introduced `linkerd.io/inject: ingress` annotation * Fixed issue with upgrades where external certs would be fetched and stored even though this does not happen on fresh installs with externally created certs * Fixed issue with upgrades where the issuer cert expiration was being reset * Removed the `--registry` flag from the `multicluster install` command * Removed default CPU limits for the proxy and control plane components in HA mode
-
edge-20.10.68c6a2c57 · ·
This edge supersedes edge-20.10.5 as a release candidate for stable-2.9.0. It adds a new `linkerd.io/inject: ingress` annotation to support service profiles and enable per-route metrics and traffic splits for HTTP ingress controllers * Added a new `linkerd.io/inject: ingress` annotation to configure the proxy to support service profiles and enable per-route metrics and traffic splits for HTTP ingress controllers * Reduced performance impact of logging in the proxy, especially when the `debug` or `trace` log levels are disabled * Fixed spurious warnings logged by the `linkerd profile` CLI command
-
edge-20.10.55c9d3484 · ·
This edge supersedes edge-20.10.4 as a release candidate for stable-2.9.0. It adds a fix for updating the destination service when ther are no endpoints * Added a fix to clear the EndpointTranslator state when it gets a `NoEndpoints` message. This ensures that the clients get the correct set of endpoints during an update.
-
edge-20.10.48a41c9a3 · ·
This edge release is a release candidate for stable-2.9.0. For the proxy, there have been changes to improve performance, remove unused code, and configure ports that can be ignored by default. Also, this edge release adds enhancements to the multicluster configuration and observability, adds more translations to the dashboard, and addresses a bug in the CLI. * Added more Spanish translations to the dashboard and more labels that can be translated * Added support for creating multiple service accounts when installing multicluster with Helm to allow more granular revocation * Renamed `global.proxy.destinationGetNetworks` to `global.clusterNetworks`. This is a cluster-wide setting and can no longer be overridden per-pod * Fixed an empty multicluster Grafana graph which used a deprecated label * Added the control plane tracing ServiceAccounts to the linkerd-psp RoleBinding so that it can be used in environments where PodSecurityPolicy is enabled * Enhanced EKS support by adding `100.64.0.0/10` to the set of discoverable networks * Fixed a bug in the way that the `--all-namespaces` flag is handled by the `linkerd edges` command * Added a default set of ports to bypass the proxy for server-first, https, and memcached traffic
-
edge-20.10.3827646a3 · ·
This edge release is a release candidate for stable-2.9.0. It overhauls the discovery and routing logic implemented by the proxy, simplifies the way that Linkerd stores configuration, and adds new Helm values to configure additional labels, annotations, and namespace selectors for webhooks. * Added podLabels and podAnnotations Helm values to allow adding additional labels or annotations to Linkerd control plane pods (thanks @tustvold!) * Added namespaceSelector Helm value for configuring the namespace selector used by admission webhooks (thanks @tustvold!) * Expanded the 'linkerd edges' command to show TCP connections * Overhauled the discovery and routing logic implemented by the proxy: * The `l5d-dst-override` header is no longer honored * When the application attempts to connect to a pod IP, the proxy no longer load balances these requests among all pods in the service. The proxy will now honor session-stickiness as selected by an application-level load balancer * `TrafficSplits` are only applied when a client targets a service's IP * The proxy no longer performs DNS "canonicalization" to translate relative host header names to a fully-qualified form * Simplified the way that Linkerd stores its configuration. Configuration is now stored as Helm values in the linkerd-config ConfigMap * Renamed the --addon-config flag to --config to clarify this flag can be used to set any Helm value
-
edge-20.10.2ffa71579 · ·
## edge-20.10.2 This edge release adds more improvements for mTLS for all TCP traffic. It also includes significant internal improvements to the way Linkerd configuration is stored within the cluster. * Changed TCP metrics exported by the proxy to ensure that peer identities are encoded via the `client_id` and `server_id` labels. * Removed the dependency of control plane components on `linkerd-config` * Updated the data structure `proxy-injector` uses to derive the configuration used when injecting workloads