标签

This edge release improves proxy diagnostics and recovery in situations where
the proxy is temporarily unable to route requests. Additionally, the `viz` and
`multicluster` CLI sub-commands have been updated for consistency.

Full release notes:

* Added Helm-style `set`, `set-string`, `values`, `set-files` customization
  flags for the `linkerd install` and `linkerd multicluster install` commands
* Fixed an issue where `linkerd metrics` could return metrics for the incorrect
  set of pods when there are overlapping label selectors
* Added tap-injector to linkerd-viz which is responsible for adding the tap
  service name environment variable to the Linkerd proxy container
* Improved diagnostics when the proxy is temporarily unable to route requests
* Made proxy recovery for a service more robust when the proxy is unable to
  route requests, even when new requests are being received
* Added `client` and `server` prefixes in the proxy logs for socket-level errors
  to indicate which side of the proxy encountered the error
* Improved jaeger-injector reliability in environments with many resources by
  adding watch RBAC permissions
* Added check to confirm whether the jaeger-injector pod is in running state
  (thanks @yashvardhan-kukreja!)
* Fixed a crash in the destination controller when EndpointSlices are enabled
  (thanks @oleh-ozimok!)
* Added a `linkerd viz check` sub-command to verify the states of the
  `linkerd-viz` components
* Added a `log-format` flag to optionally output the control plane component log
  output as JSON (thanks @mo4islona!)
* Updated the logic in the `metrics` and `profile` subcommands to use the
  `namespace` specified by the `current-context` of the KUBECONFIG so that it is
  no longer necessary to use the `--namespace` flag to query resources in the
  current namespace. Queries for resources in namespaces other than the
  current namespace still require the `--namespace` flag
* Added new pod 'linkerd-metrics-api' set up by `linkerd viz install` that
  manages all functionality dependent on Prometheus, thus removing most of the
  dependencies on Prometheus from the linkerd core installation
* Removed need to have linkerd-viz installed for the
  `linkerd multicluster check` command to properly work.

This edge release continues the work on decoupling non-core Linkerd components.
Commands that use the viz extension i.e, `dashboard`, `edges`, `routes`,
`stat`, `tap` and `top` are moved to the `viz` sub-command. These commands are still
available under root but are marked as deprecated and will be removed in a
later stable release.

This release also upgrades the proxy's dependencies to the Tokio v1 ecosystem.

* Moved sub-commands that use the viz extension under `viz`
* Started ignoring pods with `Succeeded` status when watching IP addresses
  in destination. This allows the re-use of IPs of terminated pods
* Support Bring your own Jaeger use-case by adding `collector.jaegerAddr` in
  the Jaeger extension.
* Fixed an issue with the generation of working manifests in the
  `podAntiAffinity` use-case
* Added support for the modification of proxy resources in the viz
  extension through `values.yaml` in Helm and flags in CLI.
* Improved error reporting for port-forward logic with namespace
  and pod data, used across dashboard, checks, etc
  (thanks @piyushsingariya)
* Added support to disable the rendering of `linkerd-viz` namespace
  resource in the viz extension (thanks @nlamirault)
* Made service-profile generation work offline with `--ignore-cluster`
  flag (thanks @piyushsingariya)
* Upgraded the proxy's dependencies to the Tokio v1 ecosystem

This stable release fixes an issue that stops traffic to a pod when there is an
IP address conflict with another pod that is not in a running state.

It also fixes an upgrade issue when using HA that would lead to values being
overridden.

This edge release introduces a new "opaque transport" feature that allows the
proxy to securely transport server-speaks-first and otherwise opaque TCP
traffic. Using the `config.linkerd.io/opaque-ports` annotation on pods and
namespaces, users can configure ports that should skip the proxy's protocol
detection.

Additionally, a new `linkerd-viz` extension has been introduced that separates
the installation of the Grafana, Prometheus, web, and tap components. This
extension closely follows the Jaeger and multicluster extensions; users can
`install` and `uninstall` with the `linkerd viz ..` command as well as configure
for HA with the `--ha` flag.

The `linkerd viz install` command does not have any cli flags to customize the
install directly, but instead follows the Helm way of customization by using
flags such as `set`, `set-string`, `values`, `set-files`.

Finally, a new `/shutdown` admin endpoint that may only be accessed over the
loopback network has been added. This allows batch jobs to gracefully terminate
the proxy on completion. The `linkerd-await` utility can be used to automate
this.

* Added a new `linkerd multicluster check` command to validate that the
  `linkerd-multicluster` extension is working correctly
* Fixed description in the `linkerd edges` command (thanks @jsoref!)
* Moved the Grafana, Prometheus, web, and tap components into a new Viz chart,
  following the same extension model that multicluster and Jaeger follow
* Introduced a new "opaque transport" feature that allows the proxy to securely
  transport server-speaks-first and otherwise opaque TCP traffic
* Removed the check comparing the `ca.crt` field in the identity issuer secret
  and the trust anchors in the Linkerd config; these values being different is
  not a failure case for the `linkerd check` command (thanks @cypherfox!)
* Removed the Prometheus check from the `linkerd check` command since it now
  depends on a component that is installed with the Viz extension
* Fixed error messages thrown by the cert checks in `linkerd check` (thanks
  @pradeepnnv!)
* Added PodDisruptionBudgets to the control plane components so that they cannot
  be all terminated at the same time during disruptions (thanks @tustvold!)
* Fixed an issue that displayed the wrong `linkerd.io/proxy-version` when it is
  overridden by annotations (thanks @mateiidavid!)
* Added support for custom registries in the `linkerd-viz` helm chart (thanks
  @jimil749!)
* Renamed `proxy-mutator` to `jaeger-injector` in the `linkerd-jaeger` extension
* Added a new `/shutdown` admin endpoint that may only be accessed over the
  loopback network allowing batch jobs to gracefully terminate the proxy on
  completion
* Introduced the `linkerd identity` command, used to fetch the TLS certificates
  for injected pods (thanks @jimil749)
* Fixed an issue with the CNI plugin where it was incorrectly terminating and
  emitting error events (thanks @mhulscher!)
* Re-added support for non-LoadBalancer service types in the
  `linkerd-multicluster` extension

This edge release adds support for the `config.linkerd.io/opaque-ports`
annotation on pods and namespaces, to configure ports that should skip the
proxy's protocol detection. In addition, it adds new CLI commands related to the
`linkerd-jaeger` extension, fixes bugs in the CLI `install` and `upgrade`
commands and Helm charts, and fixes a potential false positive in the proxy's
HTTP protocol detection. Finally, it includes improvements in proxy performance
and memory usage, including an upgrade for the proxy's dependency on the Tokio
async runtime.

* Added support for the `config.linkerd.io/opaque-ports` annotation on pods and
  namespaces, to indicate to the proxy that some ports should skip protocol
  detection
* Fixed an issue where `linkerd install --ha` failed to honor flags
* Fixed an issue where `linkerd upgrade --ha` can override existing configs
* Added missing label to the `linkerd-config-overrides` secret to avoid breaking
  upgrades performed with the help of `kubectl apply --prune`
* Added a missing icon to Jaeger Helm chart
* Added new `linkerd jaeger check` CLI command to validate that the
  `linkerd-jaeger` extension is working correctly
* Added new `linkerd jaeger uninstall` CLI command to print the `linkerd-jaeger`
  extension's resources so that they can be piped into `kubectl delete`
* Fixed an issue where the `linkerd-cni` daemgitonset may not be installed on all
  intended nodes, due to missing tolerations to the `linkerd-cni` Helm chart
  (thanks @rish-onesignal!)
* Fixed an issue where the `tap` APIServer would not refresh its certs
  automatically when provided externally—like through cert-manager
* Changed the proxy's cache eviction strategy to reduce memory consumption,
  especially for busy HTTP/1.1 clients
* Fixed an issue in the proxy's HTTP protocol detection which could cause false
  positives for non-HTTP traffic
* Increased the proxy's default dispatch timeout to 5 seconds to accomodate
  connection pools which might open conenctions without immediately making a
  request
* Updated the proxy's Tokio dependency to v0.3

This edge release is functionally the same as `edge-20.12.2`. It fixes an issue
that prevented the release build from occurring.

* Fixed an issue where the `proxy-injector` and `sp-validator` did not refresh
  their certs automatically when provided externally—like through cert-manager
* Added support for overrides flags to the `jaeger install` command to allow
  setting Helm values when installing the Linkerd-jaeger extension
* Added missing Helm values to the multicluster chart (thanks @DaspawnW!)
* Moved tracing functionality to the `linkerd-jaeger` extension
* Fixed various issues in developer shell scripts (thanks @joakimr-axis!)
* Fixed an issue where `install --ha` was only partially applying the high
  availability config
* Updated RBAC API versions in the CNI chart (thanks @glitchcrab!)
* Fixed an issue where TLS credentials are changed during upgrades, but the
  Linkerd webhooks would not restart, leaving them to use older credentials and
  fail requests
* Stopped publishing the multicluster link chart as its primary use case is in
  the `multicluster link` command and not being installed through Helm
* Added service mirror error logs for when the multicluster gateway's hostname
  cannot be resolved.

## stable-2.9.1

This stable release contains a number of proxy enhancements: better support for
high-traffic workloads, improved performance by eliminating unnecessary endpoint
resolutions for TCP traffic and properly tearing down serverside connections
when errors occur, and reduced memory consumption on proxies which maintain many
idle connections (such as Prometheus' proxy).

On the CLI and control plane sides, it relaxes checks on root and intermediate
certificates (following X509 best practices), and fixes two issues: one that
prevented installation of the control plane into a custom namespace and one
which failed to update endpoint information when a headless service was
modified.

* Proxy:
  * Addressed some issues reported around clients seeing max-concurrency errors
    by increasing the default in-flight request limit to 100K pending requests
  * Reduced the default idle connection timeout to 5s for outbound clients and
    for inbound clients to reduce the proxy's memory footprint, especially on
      Prometheus instances
  * Fixed an issue where the proxy did not receive updated endpoint information
    when a headless service was modified
  * Added HTTP/2 keepalive PING frames
  * Removed logic to avoid redundant TCP endpoint resolution
  * Fixed an issue where serverside connections were not torn down when an error
    occurred

* CLI / Helm / Control Plane:
  * Fixed a CLI issue where the `linkerd-namespace` flag was not honored when
    passed to the `install` and `upgrade` commands
  * Fixed installing HA through the CLI (`linkerd install --ha`) that wasn't
    honoring some of the default settings found in `values-ha.yml`
  * Force the webhook pods (proxy-injector, sp-validator and tap) to be
    restarted when upgrading through the CLI, if a secret they rely on changes
  * Fixed multicluster installation using Helm
  * Updated `linkerd check` so that it doesn't attempt to validate the subject
    alternative name (SAN) on root and intermediate certificates. SANs for leaf
    certificates will continue to be validated
  * Fixed an issue in the destination service where endpoints always included a
    protocol hint, regardless of the controller label being present or not
  * Removed the `get` and `logs` command from the CLI
  * No longer panic in rare cases when `linkerd-config` doesn't have an entry
    for `Global` configs (thanks @hodbn!)

This edge release continues the work of decoupling non-core Linkerd components
by moving more tracing related functionality into the Linkerd-jaeger extension.

* Continued work on moving tracing functionality from the main control plane
  into the `linkerd-jaeger` extension
* Fixed a potential panic in the proxy when looking up a socket's peer address
  while under high load
* Added automatic readme generation for charts (thanks @GMarkfjard!)
* Fixed zsh completion for the CLI (thanks @jiraguha!)
* Added support for multicluster gateways of types other than LoadBalancer
  (thanks @DaspawnW!)

## edge-20.11.5

This edge release improves the proxy's support high-traffic workloads. It also
contains the first steps towards decoupling non-core Linkerd components, the
first iteration being a new `linkerd jaeger` sub-command for installing tracing.
Please note this is still a work in progress.

* Addressed some issues reported around clients seeing max-concurrency errors by
  increasing the default in-flight request limit to 100K pending requests
* Have the proxy appropriately set `content-type` when synthesizing gRPC error
  responses
* Bumped the `proxy-init` image to `v1.3.8` which is based off of
  `buster-20201117-slim` to reduce potential security vulnerabilities
* No longer panic in rare cases when `linkerd-config` doesn't have an entry for
  `Global` configs (thanks @hodbn!)
* Work in progress: the `/jaeger` directory now contains the charts and commands
  for installing the tracing component.

* Fixed an issue in the destination service where endpoints always included a
  protocol hint, regardless of the controller label being present or not

This edge release improves support for CNI by properly handling parameters
passed to the `nsenter` command, relaxes checks on root and intermediate
certificates (following X509 best practices), and fixes two issues: one that
prevented installation of the control plane into a custom namespace and one
which failed to update endpoint information when a headless service is modified.
This release also improves linkerd proxy performance by eliminating unnecessary
endpoint resolutions for TCP traffic and properly tearing down serverside
connections when an errors occur.

* Added HTTP/2 keepalive PING frames
* Removed logic to avoid redundant TCP endpoint resolution
* Fixed an issue where serverside connections where not torn down when an error
  occurs
* Updated `linkerd check` so that it doesn't attempt to validate the subject
  alternative name (SAN) on root and intermediate certificates. SANs for leaf
  certificates will continue to be validated
* Fixed a CLI issue where the `linkerd-namespace` flag is not honored when
  passed to the `install` and `upgrade` commands
* Fixed an issue where the proxy does not receive updated endpoint information
  when a headless service is modified
* Updated the control plane Docker images to use `buster-20201117-slim` to
  reduce potential security vulnerabilities
* Updated the proxy-init container to `v1.3.7` which fixes CNI issues in certain
  environments by properly parsing `nsenter` args

This edge release reduces memory consumption of Linkerd proxies which maintain
many idle connections (such as Prometheus).  It also removes some obsolete
commands from the CLI and allows setting custom annotations on multicluster
gateways.

* Reduced the default idle connection timeout to 5s for outbound clients and
  20s for inbound clients to reduce the proxy's memory footprint, especially on
  Prometheus instances
* Added support for setting annotations on the multicluster gateway in Helm
  which allows setting the load balancer as internal (thanks @shaikatz!)
* Removed the `get` and `logs` command from the CLI

## stable-2.9.0

This release extends Linkerd's zero-config mutual TLS (mTLS) support to all TCP
connections, allowing Linkerd to transparently encrypt and authenticate all TCP
connections in the cluster the moment it's installed. It also adds ARM support,
introduces a new multi-core proxy runtime for higher throughput, adds support
for Kubernetes service topologies, and lots, lots more, as described below:

* Proxy
  * Performed internal improvements for lower latencies under high concurrency
  * Reduced performance impact of logging, especially when the `debug` or
    `trace` log levels are disabled
  * Improved error handling for DNS errors encountered when discovering control
    plane addresses; this can be common during installation before all
    components have been started, allowing linkerd to continue to operate
    normally in HA during node outages

* Control Plane
  * Added support for [topology-aware service
    routing](https://kubernetes.io/docs/concepts/services-networking/service-topology/)
    to the Destination controller; when providing service discovery updates to
    proxies the Destination controller will now filter endpoints based on the
    service's topology preferences
  * Added support for the new Kubernetes
    [EndpointSlice](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/)
    resource to the Destination controller; Linkerd can be installed with
    `--enable-endpoint-slices` flag to use this resource rather than the
    Endpoints API in clusters where this new API is supported

* Dashboard
  * Added new Spanish translations (please help us translate into your
    language!)
  * Added new section for exposing multicluster gateway metrics

* CLI
  * Renamed the `--addon-config` flag to `--config` to clarify this flag can be
    used to set any Helm value
  * Added fish shell completions to the `linkerd` command

* Multicluster
  * Replaced the single `service-mirror` controller with separate controllers
    that will be installed per target cluster through `linkerd multicluster
    link`
  * Changed the mechanism for mirroring services: instead of relying on
    annotations on the target services, now the source cluster should specify
    which services from the target cluster should be exported by using a label
    selector
  * Added support for creating multiple service accounts when installing
    multicluster with Helm to allow more granular revocation
  * Added a multicluster `unlink` command for removing multicluster links

* Prometheus
  * Moved Linkerd's bundled Prometheus into an add-on (enabled by default); this
    makes the Linkerd Prometheus more configurable, gives it a separate upgrade
    lifecycle from the rest of the control plane, and allows users to
    disable the bundled Prometheus instance
  * The long-awaited Bring-Your-Own-Prometheus case has been finally addressed:
    added `global.prometheusUrl` to the Helm config to have linkerd use an
    external Prometheus instance instead of the one provided by default
  * Added an option to persist data to a volume instead of memory, so that
    historical metrics are available when Prometheus is restarted
  * The helm chart can now configure persistent storage and limits

* Other
  * Added a new `linkerd.io/inject: ingress` annotation and accompanying
    `--ingress` flag to the `inject` command, to configure the proxy to support
    service profiles and enable per-route metrics and traffic splits for HTTP
    ingress controllers
  * Changed the type of the injector and tap API secrets to `kubernetes.io/tls`
    so they can be provisioned by cert-manager
  * Changed default docker image repository to `ghcr.io` from `gcr.io`; **Users
    who pull the images into private repositories should take note of this
    change**
  * Introduced support for authenticated docker registries
  * Simplified the way that Linkerd stores its configuration; configuration is
    now stored as Helm values in the `linkerd-config` ConfigMap
  * Added support for Helm configuration of per-component proxy resources
    requests

This release includes changes from a massive list of contributors. A special
thank-you to everyone who helped make this release possible: [Abereham G
Wodajie](https://github.com/Abrishges), [Alexander
Berger](https://github.com/alex-berger), [Ali
Ariff](https://github.com/aliariff), [Arthur Silva
Sens](https://github.com/ArthurSens), [Chris
Campbell](https://github.com/campbel), [Daniel
Lang](https://github.com/mavrick), [David Tyler](https://github.com/DaveTCode),
[Desmond Ho](https://github.com/DesmondH0), [Dominik
Münch](https://github.com/muenchdo), [George
Garces](https://github.com/jgarces21), [Herrmann
Hinz](https://github.com/HerrmannHinz), [Hu Shuai](https://github.com/hs0210),
[Jeffrey N. Davis](https://github.com/penland365), [Joakim
Roubert](https://github.com/joakimr-axis), [Josh
Soref](https://github.com/jsoref), [Lutz Behnke](https://github.com/cypherfox),
[MaT1g3R](https://github.com/MaT1g3R), [Marcus Vaal](https://github.com/mvaal),
[Markus](https://github.com/mbettsteller), [Matei
David](https://github.com/mateiidavid), [Matt
Miller](https://github.com/mmiller1), [Mayank
Shah](https://github.com/mayankshah1607),
[Naseem](https://github.com/naseemkullah), [Nil](https://github.com/c-n-c),
[OlivierB](https://github.com/olivierboudet), [Olukayode
Bankole](https://github.com/rbankole), [Paul
Balogh](https://github.com/javaducky), [Rajat
Jindal](https://github.com/rajatjindal), [Raphael
Taylor-Davies](https://github.com/tustvold), [Simon
Weald](https://github.com/glitchcrab), [Steve
Gray](https://github.com/steve-gray), [Suraj
Deshmukh](https://github.com/surajssd), [Tharun
Rajendran](https://github.com/tharun208), [Wei Lun](https://github.com/WLun001),
[Zhou Hao](https://github.com/zhouhao3), [ZouYu](https://github.com/Hellcatlk),
[aimbot31](https://github.com/aimbot31),
[iohenkies](https://github.com/iohenkies), [memory](https://github.com/memory),
and [tbsoares](https://github.com/tbsoares)

This edge supersedes edge-20.10.6 as a release candidate for stable-2.9.0.

* Fixed issue where the `check` command would error when there is no Prometheus
  configured
* Fixed recent regression that caused multicluster on EKS to not work properly
* Changed the `check` command to warn instead of error when webhook certificates
  are near expiry
* Added the `--ingress` flag to the `inject` command which adds the recently
  introduced `linkerd.io/inject: ingress` annotation
* Fixed issue with upgrades where external certs would be fetched and stored
  even though this does not happen on fresh installs with externally created
  certs
* Fixed issue with upgrades where the issuer cert expiration was being reset
* Removed the `--registry` flag from the `multicluster install` command
* Removed default CPU limits for the proxy and control plane components in HA
  mode

This edge supersedes edge-20.10.5 as a release candidate for stable-2.9.0. It
adds a new `linkerd.io/inject: ingress` annotation to support service profiles
and enable per-route metrics and traffic splits for HTTP ingress controllers

* Added a new `linkerd.io/inject: ingress` annotation to configure the
  proxy to support service profiles and enable per-route metrics and traffic
  splits for HTTP ingress controllers
* Reduced performance impact of logging in the proxy, especially when the
  `debug` or `trace` log levels are disabled
* Fixed spurious warnings logged by the `linkerd profile` CLI command

This edge supersedes edge-20.10.4 as a release candidate for stable-2.9.0. It
adds a fix for updating the destination service when ther are no endpoints

* Added a fix to clear the EndpointTranslator state when it gets a
  `NoEndpoints` message. This ensures that the clients get the correct set of
  endpoints during an update.

This edge release is a release candidate for stable-2.9.0. For the proxy, there
have been changes to improve performance, remove unused code, and configure
ports that can be ignored by default. Also, this edge release adds enhancements
to the multicluster configuration and observability, adds more translations to
the dashboard, and addresses a bug in the CLI.

* Added more Spanish translations to the dashboard and more labels that can be
  translated
* Added support for creating multiple service accounts when installing
  multicluster with Helm to allow more granular revocation
* Renamed `global.proxy.destinationGetNetworks` to `global.clusterNetworks`.
  This is a cluster-wide setting and can no longer be overridden per-pod
* Fixed an empty multicluster Grafana graph which used a deprecated label
* Added the control plane tracing ServiceAccounts to the linkerd-psp
  RoleBinding so that it can be used in environments where PodSecurityPolicy
  is enabled
* Enhanced EKS support by adding `100.64.0.0/10` to the set of discoverable
  networks
* Fixed a bug in the way that the `--all-namespaces` flag is handled by the
  `linkerd edges` command
* Added a default set of ports to bypass the proxy for server-first, https,
  and memcached traffic

This edge release is a release candidate for stable-2.9.0.  It overhauls the
discovery and routing logic implemented by the proxy, simplifies the way that
Linkerd stores configuration, and adds new Helm values to configure additional
labels, annotations, and namespace selectors for webhooks.

* Added podLabels and podAnnotations Helm values to allow adding additional
  labels or annotations to Linkerd control plane pods (thanks @tustvold!)
* Added namespaceSelector Helm value for configuring the namespace selector
  used by admission webhooks (thanks @tustvold!)
* Expanded the 'linkerd edges' command to show TCP connections
* Overhauled the discovery and routing logic implemented by the proxy:
  * The `l5d-dst-override` header is no longer honored
  * When the application attempts to connect to a pod IP, the proxy no
    longer load balances these requests among all pods in the service.
    The proxy will now honor session-stickiness as selected by an
    application-level load balancer
  * `TrafficSplits` are only applied when a client targets a service's IP
  * The proxy no longer performs DNS "canonicalization" to translate
    relative host header names to a fully-qualified form
* Simplified the way that Linkerd stores its configuration.  Configuration is
  now stored as Helm values in the linkerd-config ConfigMap
* Renamed the --addon-config flag to --config to clarify this flag can be used
  to set any Helm value

## edge-20.10.2

This edge release adds more improvements for mTLS for all TCP traffic.
It also includes significant internal improvements to the way Linkerd
configuration is stored within the cluster.

* Changed TCP metrics exported by the proxy to ensure that peer
  identities are encoded via the `client_id` and `server_id` labels.
* Removed the dependency of control plane components on `linkerd-config`
* Updated the data structure `proxy-injector` uses to derive the configuration
  used when injecting workloads