标签

## edge-20.10.1

This edge release includes a couple of external contributions towards
improved cert-manager support and Grafana charts fixes, among other
enhancements.

* Changed the type of the injector and tap API secrets to `kubernetes.io/tls`,
  so they can be provisioned by cert-manager (thanks @cypherfox!)
* Fixed the "Kubernetes cluster monitoring" Grafana dashboard that had a few
  charts with incomplete data (thanks @aimbot31!)
* Fixed the `service-mirror` multicluster component so that it retries
  connections to the target cluster's Kubernetes API when it's not reachable,
  instead of blocking
* Increased the proxy's default timeout for DNS resolution to 500ms, as there
  were reports that 100ms was too restrictive

This edge release introduces support for authenticated docker registries and
fixes a recent multicluster regression.

* Fixed a regression in multicluster gateway configurations that would forbid
  inbound gateway traffic
* Upgraded bundled Grafana to v7.1.5
* Enabled Jaeger receiver in collector configuration in Helm chart (thanks
  @olivierboudet!)
* Fixed skip port configuration being skipped in CNI plugin
* Introduced support for authenticated docker registries (thanks @c-n-c!)

This edge release includes fixes and updates for the control plane and CLI.

* Added `--dest-cni-bin-dir` flag to the `linkerd install-cni` command, to
  configure the directory on the host where the CNI binary will be placed
* Removed `collector.name` and `jaeger.name` config fields from the tracing
  addon
* Updated Jaeger to 1.19.2
* Fixed a warning about deprecated Go packages in controller container logs

This edge release continues the work of adding support for mTLS for all TCP
traffic and changes the default container registry to `ghcr.io` from `gcr.io`.

If you are upgrading from `stable-2.8.x` with the Linkerd CLI using the
`linkerd upgrade` command, you must add the `--addon-overwrite` flag to ensure
that the grafana image is properly set.

* Removed the default timeout for ServiceProfiles so that ServiceProfile routes
  behave the same as when there is no ServiceProfile definition
* Changed default docker image repository to ghcr.io from gcr.io. **Users who
  pull the images into private repositories should take note of this change**
* Added endpoint labels to outbound TCP metrics to provide more context and
  detail for the metrics, add load balancing to TCP connections
  (bypassing kube-proxy), and secure the connection with mTLS when both
  endpoints are meshed
* Made unnamed ServiceProfile discovery configurable using the
  `proxy.destinationGetNetworks` variable to set the
  `LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS` variable in the proxy chart
  template
* Added TLS certificate validation for the Injector, SP Validator, and Tap
  webhooks to the `linkerd check` command

## edge-20.9.1

This edge release contains an important proxy update that allows linkerd to
continue to operate normally in HA during node outages. We're also adding full
Kubernetes 1.19 support!

* Improved the proxy's error handling for DNS errors encountered when
  discovering control plane addresses, which can be common during installation,
  before all components have been started
* The destination and identity services had to be made headless in order to
  support that new controller discovery (which now can leverage SRV records)
* Use SAN fields when generating the linkerd webhook configs; this completes the
  Kubernetes 1.19 support which enforces them
* Fixed `linkerd check` for multicluster that was spuriously claiming the
  absence of some resources
* Improved the injection test cleanup (thanks @zhouhao3!)
* Added ability to run the integration test suite using a cluster in an ARM
  architecture (thanks @aliariff!)

* Fixed a problem causing the `enable-endpoint-slices` flag to not be persisted
  when set via `linkerd upgrade` (thanks @Matei207!)
* Removed SMI-Metrics templates and experimental sub-commands
* Use `--frozen-lockfile` to avoid accidental update of dashboard JS
  dependencies in CI (thanks @tharun208!)

This edge release adds support for [topology-aware service routing][topology] to
the Destination controller. When providing service discovery updates to proxies,
the Destination controller will now filter endpoints based on the service's
topology preferences. Additionally, this release includes bug fixes for the
`linkerd check` CLI command and web dashboard.

* CLI
  * `linkerd check` will no longer warn about a looser webhook failure policy in
    HA mode
* Controller
  * Added support for [topology-aware service routing][topology] to the Destination
    controller (thanks @Matei207)
  * Changed the Destination controller to always return destination overrides
    for service profiles when no traffic split is present
* Web UI
  * Fixed Tap `Authority` dropdown not being populated (thanks to @tharun208!)

[topology]: https://kubernetes.io/docs/concepts/services-networking/service-topology/

This edge release adds an internationalization framework to the dashboard,
Spanish translations to the dashboard UI, and a `linkerd multicluster uninstall`
command for graceful removal of the multicluster components.

* Web UI
  * Added Spanish translations to the dashboard
  * Added a framework and documentation to simplify creation of new
    translations
* Multicluster
  * Added a multicluster uninstall command
  * Added a warning from `linkerd check --multicluster` if the multicluster
    support is not installed

This edge adds multi-arch support to Linkerd! Our docker images and CLI now
support the amd64, arm64, and arm architectures.

* Multicluster
  * Added a multicluster unlink command for removing multicluster links
  * Improved multicluster checks to be more informative when the remote API is
    not reachable
* Proxy
  * Enabled a multi-threaded runtime to substantially improve latency especially
    when the proxy is serving requests for many concurrent connections
* Other
  * Fixed an issue where the debug sidecar image was missing during upgrades
    (thanks @javaducky!)
  * Updated all control plane plane and proxy container images to be multi-arch
    to support amd64, arm64, and arm (thanks @aliariff!)
  * Fixed an issue where check was failing when DisableHeartBeat was set to true
    (thanks @mvaal!)

## edge-20.7.5

This edge brings a new approach to multicluster service mirror controllers and
the way services in target clusters are selected for mirroring.

The long-awaited Bring-Your-Own-Prometheus case has been finally addressed.

Many other improvements from our great contributors are described below. Also
note progress is still being made under the covers for future support for Service
Topologies (by @Matei207) and delivering image builds in multiple platforms (by
@aliariff).

* Multicluster
  * Replaced the single `service-mirror` controller, with separate controllers
    that will be installed per target cluster through `linkerd multicluster
    link`. More info [here](https://github.com/linkerd/linkerd2/pull/4710).
  * Changed the mechanism for mirroring services: instead of relying on
    annotations on the target services, now the source cluster should specify
    which services from the target cluster should be exported by using a label
    selector. More info [here](https://github.com/linkerd/linkerd2/pull/4795).
  * Added new section in the dashboard for exposing multicluster gateway metrics
    (thanks @tharun208!)
* Prometheus
  * Added `global.prometheusUrl` to the Helm config to have linkerd use an
    external Prometheus instance instead of the one provided by default.
  * Added ability to declare sidecar containers in the Prometheus Helm config.
    This allows adding components for cases like exporting logs to services
    such as Cloudwatch, Stackdriver, Datadog, etc. (thanks @memory!)
  * Upgraded Prometheus to the latest version (v2.19.3), which should consume
    substantially less memory, among other benefits.
* Other
  * Fixed bug in `linkerd check` that was failing to wait for Prometheus to be
    available right after having installed linkerd.
  * Added ability to set `priorityClassName` for CNI DaemonSet pods, and to
    install CNI in an existing namespace (both options provided through the CLI
    and as Helm configs) (thanks @alex-berger!)
  * Added support for overriding the proxy's inbound and outbout TCP connection
    timeouts (thanks @mmiller1!)
  * Added library support for dashboard i18n. Strings still need to be tagged
    and translations to be added. More info
    [here](https://github.com/linkerd/linkerd2/pull/4803).
  * In some Helm charts, replaced the non-standard
    `linkerd.io/helm-release-version` annotation with `checksum/config` for
    forcing restarting the component during upgrades (thanks @naseemkullah!)
  * Upgraded the proxy init-container to v1.3.4, which comes with an updated
    debian-buster distro and will provide cleaner logs listing the iptables
    rules applied.

This edge release adds support for the new Kubernetes
[EndpointSlice](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/)
resource to the Destination controller. Using the EndpointSlice API is more
efficient for the Kubernetes control plane than using the Endpoints API. If
the cluster supports EndpointSlices (a beta feature in Kubernetes 1.17),
Linkerd can be installed with `--enable-endpoint-slices` flag to use this
resource rather than the Endpoints API.

* Added fish shell completions to the `linkerd` command (thanks @WLun001!)
* Enabled the support for EndpointSlices (thanks @Matei207!)
* Separated Prometheus checks and made them runnable only when the add-on
  is enabled

* Add preliminary support for EndpointSlices which will be usable in future
  releases (thanks @Matei207!)
* Internal improvements to the CI process for testing Helm installations

This edge release moves Linkerd's bundled Prometheus into an add-on. This makes
the Linkerd Prometheus more configurable, gives it a separate upgrade lifecycle
from the rest of the control plane, and will allow users to disable the bundled
Prometheus instance. In addition, this release includes fixes for several
issues, including a regression where the proxy would fail to report OpenCensus
spans.

* Prometheus is now an optional add-on, enabled by default
* Custom tolerations can now be specified for control plane resources when
  installing with Helm (thanks @DesmondH0!)
* Evicted data plane pods are no longer considered to be failed by `linkerd
  check --proxy`, fixing an issue where the check would be retried indefinitely
  as long as evicted pods are present
* Fixed a regression where proxy spans were not reported to OpenCensus
* Fixed a bug where the proxy injector would fail to render skipped port lists
  when installed with Helm
* Internal improvements to the proxy for lower latencies under high concurrency
* Thanks to @Hellcatlk and @surajssd for adding new unit tests and spelling
  fixes!

This edge release features the option to persist prometheus data to a volume
instead of memory, so that historical metrics are available when prometheus is
restarted. Additional changes are outlined in the bullet points below.

* Some commands like `linkerd stat` would fail if any control plane components
  were unhealthy, even when other replicas are healthy. The check conditions
  for these commands have been improved
* The helm chart can now configure persistent storage for Prometheus
  (thanks @naseemkullah!)
* The proxy log output format can now be configured to `plain` or `json` using
  the `config.linkerd.io/proxy-log-format` annotation or the
  `global.proxy.logFormat` value in the helm chart
  (thanks again @naseemkullah!)
* `linkerd install --addon-config=` now supports URLs in addition to local
  files
* The CNI Helm chart used the incorrect variable name to determine the `createdBy`
  version tag. This is now controlled by `cniPluginVersion` in the helm chart
* The proxy's default buffer size has been increased, which reduces latency when
  the proxy has many concurrent clients

This edge release moves the proxy onto a new version of the Tokio runtime. This
allows us to more easily integrate with the ecosystem and may yield performance
benefits as well.

* Upgraded the proxy's underlying Tokio runtime and its related libraries
* Added support for PKCS8 formatted ECDSA private keys
* Added support for Helm configuration of per-component proxy resources requests
  and limits (thanks @cypherfox!)
* Updated the `linkerd inject` command to throw an error while injecting
  non-compliant pods (thanks @mayankshah1607)

## stable-2.8.1

This release fixes multicluster gateways support on EKS.

* The multicluster service-mirror has been extended to resolve DNS names for
  target clusters when an IP address is not known.
* Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger
  for providing a fix!
* Have the service mirror controller check in `linkerd check` retry on failures.
* As of this version we're including a Chocolatey package (Windows) next to the
  other binaries in the release assets in GitHub.
* Base images have been updated:
  * debian:buster-20200514-slim
  * grafana/grafana:7.0.3
* The shell scripts under `bin` continued to be improved, thanks to @joakimr-axis!

## edge-20.6.3

This edge release is a release candidate for stable-2.8.1. It includes a fix
to support multicluster gateways on EKS.

* The `config.linkerd.io/proxy-destination-get-networks` annotation configures
  the networks for which a proxy can discover metadata. This is an advanced
  configuration option that has security implications.
* The multicluster service-mirror has been extended to resolve DNS names for
  target clusters when an IP address it not known.
* Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger
  for providing a fix!
* The CLI will be published for Chocolatey (Windows) on future stable releases.
* Base images have been updated:
  * debian:buster-20200514-slim
  * grafana/grafana:7.0.3

This release introduces new a multi-cluster extension to Linkerd, allowing it
to establish connections across Kubernetes clusters that are secure,
transparent to the application, and work with any network topology.

* The CLI has a new set of `linkerd multicluster` sub-commands that provide
  tooling to create the resources needed to discover services across
  Kubernetes clusters.
* The `linkerd multicluster gateways` command exposes gateway-specific
  telemetry to supplement the existing `stat` and `tap` commands.
* The Linkerd-provided Grafana instance remains enabled by default, but it can
  now be disabled. When it is disabled, the Linkerd dashboard can be
  configured to link to an alternate, externally-managed Grafana instance.
* Jaeger & OpenCensus are configurable as an [add-on][addon-2.8.0]; and the
  proxy has been improved to emit spans with labels that reflect its pod's
  metadata.
* The `linkerd-cni` component has been promoted from _experimental_ to
  _stable_.
* `linkerd profile --open-api` now honors the `x-linkerd-retryable` and
  `x-linkerd-timeout` OpenAPI annotations.
* The Helm chart continues to become more flexible and modular, with new
  Prometheus configuration options. More information is available in the
  [Helm chart README][helm-2.8.0].
* gRPC stream error handling has been improved so that transport errors
  are indicated to the client with a `grpc-status: UNAVAILABLE` trailer.
* The proxy's memory footprint could grow significantly when
  server-speaks-first-protocol connections hit the proxy. Now, a timeout is
  in place to prevent these connections from consuming resources.
* After benchmarking the proxy in high-concurrency situations, the inbound
  proxy has been improved to reduce contention, improving latency and
  reducing spurious timeouts.
* The proxy could fail requests to services that had only 1 request every 60
  seconds. This race condition has been eliminated.
* Finally, users reported that ingress misconfigurations could cause the proxy
  to consume an entire CPU which could lead to timeouts. The proxy now
  attempts to prevent the most common traffic-loop scenarios to protect against
  this.

***NOTE***: Linkerd's `multicluster` extension does not yet work on Amazon
EKS. We expect to follow this release with a stable-2.8.1 to address this
issue. Follow [#4582](https://github.com/linkerd/linkerd2/pull/4582) for updates.

This release includes changes from a massive list of contributors. A special
thank-you to everyone who helped make this release possible: @aliariff,
@amariampolskiy, @arminbuerkle, @arthursens, @christianhuening,
@christyjacob4, @cypherfox, @daxmc99, @dr0pdb, @drholmie, @hydeenoble,
@joakimr-axis, @jpresky, @kohsheen1234, @lewiscowper, @lundbird, @matei207,
@mayankshah1607, @mmiller1, @naseemkullah, @sannimichaelse, & @supra08.

[addon-2.8.0]: https://github.com/linkerd/linkerd2/blob/4219955bdb5441c5fce192328d3760da13fb7ba1/charts/linkerd2/README.md#add-ons-configuration
[helm-2.8.0]: https://github.com/linkerd/linkerd2/blob/4219955bdb5441c5fce192328d3760da13fb7ba1/charts/linkerd2/README.md

## edge-20.6.2

This edge release is our second release candidate for `stable-2.8`, including
various fixes and improvements around multicluster support.

* CLI
  * Fixed bad output in the `linkerd multicluster gateways` command
  * Improved the error returned when running the CLI with no KUBECONFIG path set
    (thanks @Matei207!)
* Controller
  * Fixed issue where mirror service wasn't created when paired to a gateway
    whose external IP wasn't yet provided
  * Fixed issue where updating the gateway identity annotation wasn't propagated
    back into the mirror gateway endpoints object
  * Fixed issue where updating the gateway ports wasn't reflected in the gateway
    mirror service
  * Increased the log level for some of the service mirror events
  * Changed the nginx gateway config so that it runs as non-root and denies all
    requests to locations other than the probe path
* Web UI
  * Fixed multicluster Grafana dashboard
* Internal
  * Added flag in integration tests to dump fixture diffs into a separate
    directory (thanks @cypherfox!)

This edge release is a release candidate for `stable-2.8`! It introduces several
improvements and fixes for multicluster support.

* CLI
  * Added multicluster daisy chain checks to `linkerd check`
  * Added list of successful gateways in multicluster checks section of `linkerd
    check`
* Controller
  * Renamed `nginx-configuration` ConfigMap to `linkerd-gateway-config` (please
    manually remove the former if upgrading from an earlier multicluster
    install, thanks @mayankshah1607!)
  * Renamed multicluster gateway ports to `mc-gateway` and `mc-probe`
  * Fixed Service Profiles routes for `linkerd-prometheus`
* Internal
  * Fixed shellcheck errors in all `bin/` scripts (thanks @joakimr-axis!)
* Helm
  * Added support for `linkerd mc allow`
  * Added ability to disable secret rescources for self-signed certs (thanks
    @cypherfox!)
* Proxy
  * Modified the `linkerd-gateway` component to use the inbound proxy, rather
    than nginx, for gateway; this allows Linkerd to detect loops and propogate
    identity