-
edge-23.9.4bc97b021 · ·
This edge release makes Linkerd even better. * Added a controlPlaneVersion override to the `linkerd-control-plane` Helm chart to support including SHA256 image digests in Linkerd manifests (thanks @cromulentbanana!) ([#11406]) * Improved `linkerd viz check` to attempt to validate that the Prometheus scrape interval will work well with the CLI and Web query parameters ([#11376]) * Improved CLI error handling to print differentiated error information when versioncheck.linkerd.io cannot be resolved (thanks @dtaskai) ([#11377]) * Fixed an issue where the destination controller would not update pod metadata for profile resolutions for a pod accessed via the host network (e.g. HostPort endpoints) ([#11334]). * Added a validating webhook config for httproutes.gateway.networking.k8s.io resources (thanks @mikutas!) ([#11150]) * Introduced a new `multicluster check --timeout` flag to limit the time allowed for Kubernetes API calls (thanks @moki1202) ([#11420]) [#11150]: https://github.com/linkerd/linkerd2/pull/11150 [#11334]: https://github.com/linkerd/linkerd2/pull/11334 [#11376]: https://github.com/linkerd/linkerd2/pull/11376 [#11377]: https://github.com/linkerd/linkerd2/pull/11377 [#11406]: https://github.com/linkerd/linkerd2/pull/11406 [#11420]: https://github.com/linkerd/linkerd2/pull/11420 -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgd81rZBOcvM2l+Y/wYc9F7RfLtw mSDbBgt7nNnPPHXKQAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQP2/4yQtlkqwKoNryzCjcAJPQ72mqNVADLpQeICnPi+NJMUBQBp+dn3idYOowNg7C4 vHikwBonvrvcYmzcd+hwc= -----END SSH SIGNATURE-----
-
stable-2.13.7526633fd · ·
This stable release backports two fixes that address security vulnerabilities. The proxy's dependency on the webpki library has been updated to patch [RUSTSEC-2023-0052], a potential CPU usage denial-of-service attack when accepting a TLS handshake from an untrusted peer. In addition, the CNI and proxy-init images have been updated to patch [CVE-2023-2603] surfaced in the runtime image's `libcap` library. Finally, the release contains a backported fix for service discovery on endpoints that use hostPorts which could potentially disrupt connections on pod restarts. * Control Plane * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts ([#11328]) * Proxy * Addressed security vulnerability [RUSTSEC-2023-0052] ([#11389]) * CNI * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI plugin ([#11348]) [#11328]: https://github.com/linkerd/linkerd2/pull/11328 [#11348]: https://github.com/linkerd/linkerd2/pull/11348 [#11389]: https://github.com/linkerd/linkerd2/pull/11389 [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html [CVE-2023-2603]: https://github.com/advisories/GHSA-wp54-pwvg-rqq5
-
stable-2.14.1f496587b · ·
This stable release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP associated with the endpoint which could break connectivity on pod restarts. Discovery responses have been changed to instead return the host IP. This release also fixes an issue in the multicluster extension where an empty `remoteDiscoverySelector` field in the `Link` resource would cause all services to be exported. Finally, this release includes numerous other fixes and enhancements and addresses two security vulnerabilities, [CVE-2023-2603][CVE-2023-2603-stable] detected in the proxy-init runtime image's libcap library and [RUSTSEC-2023-0052][RUSTSEC-2023-0052-stable], a potential CPU usage denial-of-service attack in the proxy's `webpki` library dependency. * CLI * Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280]) * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd inject` (thanks @mikutas!) ([#10231]) * CNI * Addressed security vulnerability [CVE-2023-2603][CVE-2023-2603-stable] in proxy-init and CNI plugin ([#11296]) * Control Plane * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts ([#11328]) * Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) ([#11149]) * Helm * Removed unnecessary `linkerd.io/helm-release-version` annotation from the `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes [#10778]) * Introduced resource requests/limits for the policy controller resource in the control plane helm chart ([#11301]) * Multicluster * Fixed an issue where an empty `remoteDiscoverySelector` field in a multicluster link would cause all services to be mirrored ([#11309]) * Removed time out from `linkerd multicluster gateways` command; when no metrics exist the command will return instantly ([#11265]) * Improved help messaging for `linkerd multicluster link` ([#11265]) * Proxy * Addressed security vulnerability [RUSTSEC-2023-0052][RUSTSEC-2023-0052-stable] in the proxy ([#11361]) [CVE-2023-2603-stable]: https://github.com/advisories/GHSA-wp54-pwvg-rqq5 [RUSTSEC-2023-0052-stable]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
-
edge-23.9.34a336ba8 · ·
This edge release updates the proxy's dependency on the `rustls` library to patch security vulnerability [RUSTSEC-2023-0052][RUSTSEC-2023-0052-0] (GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when acceting a TLS handshake from an untrusted peer with a maliciously-crafted certificate. Furthermore, this edge release contains a few improvements to the control plane and jaeger extension Helm charts. * Addressed security vulnerability [RUSTSEC-2023-0052][RUSTSEC-2023-0052-0] in the proxy by updating its dependency on the `rustls` library * Added a `prometheusUrl` field for the heartbeat job in the control plane Helm chart (thanks @david972!) ([#11343]; fixes [#11342]) * Introduced support for arbitrary labels in the `podMonitors` field in the control plane Helm chart (thanks @jseiser!) ([#11222]; fixes [#11175]) * Added support for config merge and Deployment environment to `opentelemetry-collector` in the jaeger extension (thanks @iAnomaly!) ([#11283]) [#11283]: https://github.com/linkerd/linkerd2/pull/11283 [#11222]: https://github.com/linkerd/linkerd2/pull/11222 [#11175]: https://github.com/linkerd/linkerd2/issues/11175 [#11343]: https://github.com/linkerd/linkerd2/pull/11343 [#11342]: https://github.com/linkerd/linkerd2/issues/11342 [RUSTSEC-2023-0052-0]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
-
edge-23.9.2f5e490c0 · ·
## edge-29.9.2 This edge release updates the proxy's dependency on the `webpki` library to patch security vulnerability [RUSTSEC-2023-0052] (GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when accepting a TLS handshake from an untrusted peer with a maliciously-crafted certificate. * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy ([#11361]) * Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280]) * Removed unnecessary `linkerd.io/helm-release-version` annotation from the `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes [#10778]) [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html [#11295]: https://github.com/linkerd/linkerd2/pull/11295 [#11280]: https://github.com/linkerd/linkerd2/issues/11280 [#11361]: https://github.com/linkerd/linkerd2/pull/11361 [#11329]: https://github.com/linkerd/linkerd2/pull/11329 [#10778]: https://github.com/linkerd/linkerd2/issues/10778
-
edge-23.9.1a9f845c9 · ·
This edge release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP for the discovery request which could break connectivity on pod restart. To fix this, direct pod communication for a pod bound on a hostPort will always return the hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603) detected in the CNI plugin and proxy-init images, and includes a number of other fixes and small improvements. * Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin ([#11296]) * Introduced resource requests/limits for the policy controller resource in the control plane helm chart ([#11301]) * Fixed an issue where an empty `remoteDiscoverySelector` field in a multicluster link would cause all services to be mirrored ([#11309]) * Removed time out from `linkerd multicluster gateways` command; when no metrics exist the command will return instantly ([#11265]) * Improved help messaging for `linkerd multicluster link` ([#11265]) * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts ([#11328]) * Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) ([#11149]) * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd inject` (thanks @mikutas!) ([#10231]) [#11309]: https://github.com/linkerd/linkerd2/issues/11309 [#11296]: https://github.com/linkerd/linkerd2/discussions/11296 [#11328]: https://github.com/linkerd/linkerd2/pull/11328 [#11301]: https://github.com/linkerd/linkerd2/issues/11301 [#11265]: https://github.com/linkerd/linkerd2/pull/11265 [#11149]: https://github.com/linkerd/linkerd2/pull/11149 [#10231]: https://github.com/linkerd/linkerd2/issues/10231
-
stable-2.12.65b422851 · ·
This stable release backports a service mirror memory leak fix. The service mirror previously had an issue where certain resources weren't cleaned up properly resulting in a memory leak. * Fixed a memory leak in the multicluster service mirror component ([10746]) [10746]: https://github.com/linkerd/linkerd2/issues/10746
-
stable-2.14.0a4bec904 · ·
This release introduces direct pod-to-pod multicluster service mirroring. When clusters are deployed on a flat network, Linkerd can export multicluster services in a way where cross-cluster traffic does not need to go through the gateway. This enhances multicluster authentication and can reduce the need for provisioning public load balancers. In addition, this release adds support for the [Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoute resource (in the `gateway.networking.k8s.io` api group). This improves compatibility with other tools that use these resources such as [Flagger](https://flagger.app/) and [Argo Rollouts](https://argoproj.github.io/rollouts/). The release also includes a large number of features and improvements to HTTPRoute including the ability to set timeouts and the ability to define consumer-namespace HTTPRoutes. Finally, this release includes a number of bugfixes, performance improvements, and other smaller additions. **Upgrade notes**: Please see the [upgrade instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2140). * Multicluster * Remove namespace field from cluster scoped resources to fix pruning * Added -o json flag for the `linkerd multicluster gateways` command (thanks @hiteshwani29) * Introduced `logFormat` value to the multicluster `Link` Helm Chart (thanks @bunnybilou!) * Added leader-election capabilities to the service-mirror controller * Added high-availability (HA) mode for the multicluster service-mirror * Added a new `remoteDiscoverySelector` field to the multicluster `Link` CRD, which enables a service mirroring mode where the control plane performs discovery for the mirrored service from the remote cluster, rather than creating Endpoints for the mirrored service in the source cluster * HTTPRoute * Fixed `linkerd uninstall` issue for HTTPRoute * Added support for `gateway.networking.k8s.io` HTTPRoutes in the policy controller * Added support for RequestHeaderModifier and RequestRedirect HTTP filters in outbound policy; filters may be added at the route or backend level * Added support for the `ResponseHeaderModifier` HTTPRoute filter * Added support for HTTPRoutes defined in the consumer namespace * Added support for HTTPRoute `parent_refs` that do not specify a port * CRDs * Patched the MeshTLSAuthentication CRD to force providing at least one identity/identityRef * Control Plane * Send Opaque protocol hint for opaque ports in destination controller * Replaced deprecated `failure-domain.beta.kubernetes.io/zone` labels in Helm charts with `topology.kubernetes.io/zone` labels (thanks @piyushsingariya!) * Replaced `server_port_subscribers` Destination controller gauge metric with `server_port_subscribes` and `server_port_unsubscribes` counter metrics * Proxy * Handle Opaque protocol hints on endpoints * Added `outbound_http_balancer_endpoints` metric * Fixed missing route_ metrics for requests with ServiceProfiles * Fixed proxy startup failure when using the `config.linkerd.io/admin-port` annotation (thanks @jclegras!) * Added distinguishable version information to proxy logs and metrics * CLI * The `linkerd diagnostics policy` command now displays outbound policy when the target resource is a Service * A fix for HA validation checks when Linkerd is installed with Helm. Thanks @mikutas!! * Viz * Add the `kubelet` NetworkAuthentication back since it is used by the `linkerd viz allow-scrapes` subcommand. * Fixed the `linkerd viz check` command so that it will wait until the viz extension becomes ready * Fixed an issue where specifying a `remote_write` config would cause the Prometheus config to be invalid (thanks @hiteshwani29) * Improved validation of the `--to` and `--from` flags for the `linkerd viz stat` command (thanks @pranoyk) * Added `-o jsonpath` flag to `linkerd viz tap` to allow filtering output fields (thanks @hiteshwani29!) * Fixed a Grafana error caused by an incorrect datasource (thanks @albundy83!) * Fixed missing "Services" menu item in the Spanish localization for the `linkerd-viz` web dashboard (thanks @mclavel!) * Extensions * Added missing label `linkerd.io/extension` to certain resources to ensure they pruned when appropriate (thanks @ClementRepo) * Added tolerations and nodeSelector support in extensions `namespace-metadata` Jobs (thanks @pssalman!) * Init Containers * Added an option for disabling the network validator's security context for environments that provide their own * CNI * Added --set flag to install-cni plugin (thanks @amit-62!) * Fixed missing resource-cni labels on linkerd-cni, this blocked the linkerd-cni pods from coming up when the injector was broken (thanks @migueleliasweb!) * Build * Build improvements for multi-arch build artifacts. Thanks @MarkSRobinson!! This release includes changes from a massive list of contributors! A special thank-you to everyone who helped make this release possible: * Amir Karimi @AMK9978 * Amit Kumar @amit-62 * Andre Marcelo-Tanner @kzap * Andrew @andrew-gropyus * Arnaud Beun @bunnybilou * Clement @proxfly * Dima @krabradosty * Grégoire Bellon-Gervais @albundy83 * Harsh Soni @harsh020 * Jean-Charles Legras @jclegras * Loong Dai @daixiang0 * Mark Robinson @MarkSRobinson * Miguel Elias dos Santos @migueleliasweb * Pranoy Kumar Kundu @pranoyk * Ryan Hristovski @ryanhristovski * Takumi Sue @mikutas * Zakhar Bessarab @zekker6 * hiteshwani29 @hiteshwani29 * pheianox * pssalman @pssalman
-
edge-23.8.313157bd5 · ·
## edge-23.8.3 This is a release candidate for stable-2.14.0; we encourage you to help trying it out! This edge release contains a number of improvements over the multi-cluster features introduced in the last edge release supporting flat networks. It also hardens the containers security stance by removing write access to the root filesystem. * Enhanced `linkerd multicluster link` to allow clusters to be linked without a gateway ([#11226]) * Added cluster store size gauge metric ([#11256]) * Disabled local traffic policy for remote discovery ([#11257]) * Fixed various innocuous multi-cluster warnings ([#11251], [#11246], [#11253]) * Set `readOnlyRootFilesystem: true` in all the containers, as they don't require write permissions ([#11221]; fixes [#11142]) (thanks @mikutas!) [#11226]: https://github.com/linkerd/linkerd2/pull/11226 [#11256]: https://github.com/linkerd/linkerd2/pull/11256 [#11257]: https://github.com/linkerd/linkerd2/pull/11257 [#11251]: https://github.com/linkerd/linkerd2/pull/11251 [#11246]: https://github.com/linkerd/linkerd2/pull/11246 [#11253]: https://github.com/linkerd/linkerd2/pull/11253 [#11221]: https://github.com/linkerd/linkerd2/pull/11221 [#11142]: https://github.com/linkerd/linkerd2/issues/11142 -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgKsHYzTTiJc883LmaPRYSoBhwFm oAaV1b0j4q1C1YYDsAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQNprkRH/j/fn0ihKM4P1/fDmfC4PUQ2jS9aqOuZGeQBIr/9V5j4CObteppdP1lRfkX /MRAP2NooGugI6W6JnPQ4= -----END SSH SIGNATURE-----
-
edge-23.8.2e61c4b51 · ·
## edge-23.8.2 This edge release adds improvements to Linkerd's multi-cluster features as part of the [flat network support] planned for Linkerd stable-2.14.0. In addition, it fixes an issue ([#10764]) where warnings about an invalid metric were logged frequently by the Destination controller. * Added a new `remoteDiscoverySelector` field to the multicluster `Link` CRD, which enables a service mirroring mode where the control plane performs discovery for the mirrored service from the remote cluster, rather than creating Endpoints for the mirrored service in the source cluster ([#11190], [#11201], [#11220], and [#11224]) * Fixed missing "Services" menu item in the Spanish localization for the `linkerd-viz` web dashboard ([#11229]) (thanks @mclavel!) * Replaced `server_port_subscribers` Destination controller gauge metric with `server_port_subscribes` and `server_port_unsubscribes` counter metrics ([#11206]; fixes [#10764]) * Replaced deprecated `failure-domain.beta.kubernetes.io/zone` labels in Helm charts with `topology.kubernetes.io/zone` labels ([#11148]; fixes [#11114]) (thanks @piyushsingariya!) [#10764]: https://github.com/linkerd/linkerd2/issues/10764 [#11114]: https://github.com/linkerd/linkerd2/issues/11114 [#11148]: https://github.com/linkerd/linkerd2/issues/11148 [#11190]: https://github.com/linkerd/linkerd2/issues/11190 [#11201]: https://github.com/linkerd/linkerd2/issues/11201 [#11206]: https://github.com/linkerd/linkerd2/issues/11206 [#11220]: https://github.com/linkerd/linkerd2/issues/11220 [#11224]: https://github.com/linkerd/linkerd2/issues/11224 [#11229]: https://github.com/linkerd/linkerd2/issues/11229 [flat network support]: https://linkerd.io/2023/07/20/enterprise-multi-cluster-at-scale-supporting-flat-networks-in-linkerd/
-
stable-2.13.67b545117 · ·
## stable-2.13.6 This stable release fixes a regression introduced in stable-2.13.0 which resulted in proxies shedding load too aggressively while under moderate request load to a single service ([#11055]). In addition, it updates the base image for the `linkerd-cni` initcontainer to resolve a CVE in `libdb` ([#11196]), fixes a race condition in the Destination controller that could cause it to crash ([#11163]), as well as fixing a number of other issues. * Control Plane * Fixed a race condition in the destination controller that could cause it to panic ([#11169]; fixes [#11163]) * Improved the granularity of logging levels in the control plane ([#11147]) * Proxy * Changed the default HTTP request queue capacities for the inbound and outbound proxies back to 10,000 requests ([#11198]; fixes [#11055]) * CLI * Updated extension CLI commands to prefer the `--registry` flag over the `LINKERD_DOCKER_REGISTRY` environment variable, making the precedence more consistent (thanks @harsh020!) (see [#11144]) * CNI * Updated `linkerd-cni` base image to resolve [CVE-2019-8457] in `libdb` ([#11196]) * Changed the CNI plugin installer to always run in 'chained' mode; the plugin will now wait until another CNI plugin is installed before appending its configuration ([#10849]) * Removed `hostNetwork: true` from linkerd-cni Helm chart templates ([#11158]; fixes [#11141]) (thanks @abhijeetgauravm!) * Multicluster * Fixed the `linkerd multicluster check` command failing in the presence of lots of mirrored services ([#10764]) [#10764]: https://github.com/linkerd/linkerd2/issues/10764 [#10849]: https://github.com/linkerd/linkerd2/issues/10849 [#11055]: https://github.com/linkerd/linkerd2/issues/11055 [#11141]: https://github.com/linkerd/linkerd2/issues/11141 [#11144]: https://github.com/linkerd/linkerd2/issues/11144 [#11147]: https://github.com/linkerd/linkerd2/issues/11147 [#11158]: https://github.com/linkerd/linkerd2/issues/11158 [#11163]: https://github.com/linkerd/linkerd2/issues/11163 [#11169]: https://github.com/linkerd/linkerd2/issues/11169 [#11196]: https://github.com/linkerd/linkerd2/issues/11196 [#11198]: https://github.com/linkerd/linkerd2/issues/11198 [CVE-2019-8457]: https://avd.aquasec.com/nvd/2019/cve-2019-8457/
-
edge-23.8.15fe0c0e1 · ·
## edge-23.8.1 This edge release restores a proxy setting for it to shed load less aggressively while under high load, which should result in lower error rates (see #11055). It also removes the usage of host networking in the linkerd-cni extension. * Changed the default HTTP request queue capacities for the inbound and outbound proxies back to 10,000 requests (see #11055 and #11198) * Lifted need of using host networking in the linkerd-cni Daemonset (#11141) (thanks @abhijeetgauravm!) -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgKsHYzTTiJc883LmaPRYSoBhwFm oAaV1b0j4q1C1YYDsAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQAv0kTaG06Dk4zxehDl7M8IE71bliLMbmUCM7/RHcwfbBIXJUjaAS1m5KfIK+V2pn7 ip5i8aLBkFxM94GY6ajww= -----END SSH SIGNATURE-----
-
edge-23.7.3478027ab · ·
This edge release improves Linkerd's support for HttpRoute by allowing `parent_ref` ports to be optional, allowing HttpRoutes to be defined in a consumer's namespace, and adding support for the `ResponseHeaderModifier` filter. It also fixes a panic in the destination controller. * Added an option for disabling the network validator's security context for environments that provide their own * Added high-availability (HA) mode for the multicluster service-mirror * Added support for HttpRoute `parent_refs` that do not specify a port * Fixed a Grafana error caused by an incorrect datasource (thanks @albundy83!) * Added support for HttpRoutes defined in the consumer namespace * Improved the granularity of logging levels in the control plane * Fixed a race condition in the destination controller that could cause it to panic * Added support for the `ResponseHeaderModifier` HttpRoute filter * Updated extension CLI commands to prefer the `--register` flag over the `LINKERD_DOCKER_REGISTRY` environment variable, making the precedence more consistent (thanks @harsh020!)
-
edge-23.7.269947dae · ·
This edge release introduces support for HTTP filters configured through both `policy.linkerd.io` and `gateway.networking.k8s.io` HTTPRoute resources. Currently, RequestHeaderModifier and RequestRedirect HTTP filters are supported. Additionally, this release fixes an issue with the linkerd-cni chart. * Added support for RequestHeaderModifier and RequestRedirect HTTP filters in outbound policy; filters may be added at the route or backend level * Fixed missing resource-cni labels on linkerd-cni, this blocked the linkerd-cni pods from coming up when the injector was broken (thanks @migueleliasweb!)
-
edge-23.7.1a9613989 · ·
## edge-23.7.1 This edge release adds support for the upstream `gateway.networking.k8s.io` HTTPRoute resource (in addition to the `policy.linkerd.io` CRD installed by Linkerd). Furthermore, it fixes a bug where the ingress-mode proxy would fail to fall back to ServiceProfiles for destinations without HTTPRoutes. * Added support for `gateway.networking.k8s.io` HTTPRoutes in the policy controller * Added distinguishable version information to proxy logs and metrics * Fixed incorrect handling of `NotFound` client policies in ingress-mode proxies
-
edge-23.6.375c9335e · ·
## edge-23.6.3 This edge release adds leader-election capabilities to the service-mirror controller under the hood, as a precursor to HA mode in an upcoming release. It also includes a `linkerd viz tap` improvement and a proxy startup bugfix, both contributed by the community! * Added leader-election capabilities to the service-mirror controller * Added `-o jsonpath` flag to `linkerd viz tap` to allow filtering output fields (thanks @hiteshwani29!) * Fixed proxy startup failure when using the `config.linkerd.io/admin-port` annotation (thanks @jclegras!) -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgKsHYzTTiJc883LmaPRYSoBhwFm oAaV1b0j4q1C1YYDsAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQISkKcGfQBQeG6+lEyC0No5cALGqCMNiGTO81kEJI8yXiuLl0P/KwIjpBP1lPMm4HJ j2SOARSEmMgqYzVreu+wo= -----END SSH SIGNATURE-----
-
stable-2.13.5da70f776 · ·
This stable release fixes a memory leak in the multicluster extension and fixes an issue where the proxy was failing certain requests when running in ingress mode. * Fixed a memory leak in the service mirror controller * Fixed an issue where the proxy would fail requests that were missing the `l5d-dst-override` header when run in ingress mode
-
edge-23.6.2352e404a · ·
This edge release introduces timeout capabilities for HTTPRoutes in a manner compatible with the proposed changes to HTTPRoute in [kubernetes-sigs/gateway-api#1997](https://github.com/kubernetes-sigs/gateway-api/pull/1997). This release also includes several small improvements and fixes: * A fix for HA validation checks when Linkerd is installed with Helm. Thanks @mikutas!! * Build improvements for multi-arch build artifacts. Thanks @MarkSRobinson!!
-
edge-23.6.153ec66a4 · ·
This edge release changes the behavior of the CNI plugin to run exclusively in "chained mode". Instead of creating its own configuration file, the CNI plugin will now wait until a `conf` file exists before appending its configuration. Additionally, this change includes a bug fix for topology aware service routing. * Changed the CNI plugin installer to always run in 'chained' mode; the plugin will now wait until another CNI plugin is installed before appending its configuration * Fixed bug where topology routing would not disable while service was under load (thanks @MarkSRobinson!) * Introduced `logFormat` value to the multicluster `Link` Helm Chart (thanks @bunnybilou!)
-
stable-2.13.4dc18965b · ·
This stable release fixes a few issues in the proxy and in the outbound policy API. Two new configuration options are also introduced to configure the outbound (and inbound) cache discovery idle period for proxies. The configuration is supported through annotations and through Helm values. * Control Plane * Fixed an issue where the `namespace` field on HTTPRoute `backendRef`s was ignored, and the backend Service would always be assumed to be in the namespace as the parent Service * Fixed an issue where default authorizations generated for readiness and liveness probes would fail if the probe path included URI query parameters * Added the ability to configure the proxy's discovery cache timeouts with the config.linkerd.io/proxy-outbound-discovery-cache-unused-timeout and config.linkerd.io/proxy-inbound-discovery-cache-unused-timeout annotations * Fixed bug where topology routing would not disable while service was under load (thanks @MarkSRobinson!) * Proxy * Fixed an issue where meshed pods could not communicate with themselves through a ClusterIP Service * Fixed an issue with W3C trace context propagation which caused proxy spans to be siblings rather than children of their original parent (thanks @whiskeysierra) * Fixed the proxy not using gRPC response classification for gRPC requests to destinations without ServiceProfiles * Helm * Introduced outbound/inbound cache discovery cache idle timeout configuration values