conduit changelog

Changelog History

Page 18

• v19.5.2 Changes

  • CLI
    • Fixed linkerd check and linkerd dashboard failing when any control plane pod is not ready, even when multiple replicas exist (as in HA mode)
  • Controller
    • Fixed control plane components failing on startup when the Kubernetes API returns an ErrGroupDiscoveryFailed
  • Proxy
    • Added a dispatch timeout that limits the amount of time a request can be buffered in the proxy
    • Removed the limit on the number of concurrently active service discovery queries to the destination service

  ✅ Special thanks to @zaharidichev for adding end to end tests for proxies with TLS!

• v19.5.1 Changes

  • CLI
    • Added a linkerd check config command for verifying that linkerd install config was successful
    • Improved the help documentation of linkerd install to clarify flag usage
    • Added support for private Kubernetes clusters by changing the CLI to connect to the control plane using a port-forward (thanks, @jackprice!)
  • Controller
    • Fixed pod creation failure when a ResourceQuota exists by adding a default resource spec for the proxy-init init container
  • Proxy
    • Replaced the fixed reconnect backoff with an exponential one (thanks, @zaharidichev!)
    • Fixed an issue where load balancers can become stuck
  • Internal
    • Fixed integration tests by adding known proxy-injector log warning to tests

• v19.4.5 Changes

  ⚡️ Significant Update

  🚀 As of this edge release the proxy injector component is always installed. To have the proxy injector inject a pod you still can manually add the linkerd.io/inject: enable annotation into the pod spec, or at the namespace 🚀 level to have all your pods be injected by default. With this release the behaviour of the linkerd inject command changes, where the proxy sidecar 0️⃣ container YAML is no longer included in its output by default, but instead it will just add the annotations to defer the injection to the proxy injector. For use cases that require the full injected YAML to be output, a new --manual flag has been added.

  ⚡️ Another important update is the introduction of install stages. You still have the old linkerd install command, but now it can be broken into linkerd install config which installs the resources that require cluster-level privileges, and linkerd install control-plane that continues with the resources that only require namespace-level privileges. This also applies to ⬆️ the linkerd upgrade command.

  • CLI

    • Breaking Change Removed the --proxy-auto-inject flag, as the proxy injector is now always installed
    • Breaking Change Replaced the --linkerd-version flag with the --proxy-version flag in the linkerd install and linkerd upgrade commands, which allows setting the version for the injected proxy sidecar image, without changing the image versions for the control plane
    • Introduced install stages: linkerd install config and linkerd install control-plane
    • Introduced upgrade stages: linkerd upgrade config and linkerd upgrade control-plane
    • Introduced a new --from-manifests flag to linkerd upgrade allowing manually feeding a previously saved output of linkerd install into the command, instead of requiring a connection to the cluster to fetch the config
    • Introduced a new --manual flag to linkerd inject to output the proxy sidecar container spec
    • Introduced a new --enable-debug-sidecar option to linkerd inject, that injects a debug sidecar to inspect traffic to and from the meshed pod
    • Added a new check for unschedulable pods and PSP issues (thanks, @liquidslr!)
    • Disabled the spinner in linkerd check when running without a TTY
    • Ensured the ServiceAccount for the proxy injector is created before its Deployment to avoid warnings when installing the proxy injector (thanks, @dwj300!)

  • Controller

    • Added Go pprof HTTP endpoints to all control plane components' admin servers to better assist debugging efforts
    • Fixed bug in the proxy injector, where sporadically the pod workload owner wasn't properly determined, which would result in erroneous stats
    • Added support for a new config.linkerd.io/disable-identity annotation to opt out of identity for a specific pod

  • 💻 Web UI

    • Added the Font Awesome stylesheet locally; this allows both Font Awesome and Material-UI sidebar icons to display consistently with no/limited internet access (thanks again, @liquidslr!)

  • Internal

    • Known container errors were hidden in the integration tests; now they are reported in the output, still without having the tests fail

• v19.4.4 Changes

  • Proxy
    • Fixed a connection starvation issue where TLS discovery detection on slow or idle connections could block all other connections from being accepted on the inbound listener of the proxy
  • CLI
    • Fixed inject to allow the --disable-identity flag to be used without having to specify the --ignore-cluster flag
  • 💻 Web UI
    • The Overview page in the Linkerd dashboard now renders appropriately when viewed on mobile devices

• v19.4.3 Changes

  • CLI
    • Fixed linkerd upgrade command not upgrading proxy containers (thanks @jon-walton for the issue report!)
    • Fixed linkerd upgrade command not installing the identity service when it was not already installed
    • Eliminate false-positive vulnerability warnings related to go.uuid

  ⚡️ Special thanks to @KatherineMelnyk for updating the web component to read the UUID from the linkerd-config ConfigMap!

• v19.4.2 Changes

  • CLI
    • Removed TLS metrics from the stat command; this is in preparation for surfacing identity metrics in a clearer way
    • The upgrade command now outputs a URL that explains next steps for upgrading
    • Breaking Change: The --linkerd-cni-enabled flag has been removed from the inject command; CNI is configured at the cluster level with the install command and no longer applies to the inject command
  • Controller
    • Service profile validation is now performed via a webhook endpoint; this prevents Kubernetes from accepting invalid service profiles
    • Added support for the config.linkerd.io/proxy-version annotation on pod specs; this will override the injected proxy version
    • Changed the default CPU request from 10m to 100m for HA deployments; this will help some intermittent liveness/readiness probes from failing due to tight resource constraints
  • Proxy
    • The CommonName field on CSRs is now set to the proxy's identity name
  • 💻 Web UI
    • Removed TLS columns from the dashboard tables; this is in preparation for surfacing identity metrics in a clearer way

• v19.4.1 Changes

  • CLI
    • Introduced an upgrade command! This allows an existing Linkerd control plane to be reinstalled or reconfigured; it is particularly useful for automatically reusing flags set in the previous install or upgrade
    • The inject command proxy options are now converted into config annotations; the annotations ensure that these configs are persisted in subsequent resource updates
    • The stat command now always shows the number of open TCP connections
    • Breaking Change Removed the --disable-external-profiles flag from the install command; external profiles are now disabled by default and can be enabled with the new --enable-external-profiles flag
  • Controller
    • The auto-inject admission controller webhook is updated to watch pods creation and update events; with this change, proxy auto-injection now works for all kinds of workloads, including StatefulSets, DaemonSets, Jobs, etc
  • Proxy
    • Some l5d-* informational headers have been temporarily removed from requests and responses because they could leak information to external clients
  • 💻 Web UI
    • The topology graph now shows TCP stats if no HTTP stats are available
    • Improved table display on the resource detail page for resources with TCP-only traffic
    • Added validation to the "new service profile" form (thanks @liquidslr!)

• v19.3.3 Changes

  ⚡️ Significant Update

  🚀 This edge release introduces a new TLS Identity system into the default 🔗 Linkerd installation, replacing --tls=optional and the linkerd-ca controller. Now, proxies generate ephemeral private keys into a tmpfs directory and dynamically refresh certificates, authenticated by Kubernetes ServiceAccount tokens, via the newly-introduced Identity controller.

  0️⃣ Now, all meshed HTTP communication is private and authenticated by default.

  • CLI
    • Changed install to accept or generate an issuer Secret for the Identity controller
    • Changed install to fail in the case of a conflict with an existing installation; this can be disabled with the --ignore-cluster flag
    • Changed inject to require fetching a configuration from the control plane; this can be disabled with the --ignore-cluster and --disable-identity flags, though this will prevent the injected pods from participating in mesh identity
    • Breaking change Removed the --tls=optional flag from the linkerd install command, since TLS is now enabled by default
    • Added the ability to adjust the Prometheus log level
  • Proxy
    • Fixed a stream leak between the proxy and the control plane that could cause the linkerd-controller pod to use an excessive amount of memory
    • Introduced per-proxy private key generation and dynamic certificate renewal
    • Added a readiness check endpoint on :4191/ready so that Kubernetes doesn't consider pods ready until they have acquired a certificate from the Identity controller
    • The proxy's connect timeouts have been updated, especially to improve reconnect behavior between the proxy and the control plane
  • 💻 Web UI
    • Added TCP stats to the Linkerd Pod Grafana dashboard
    • Fixed the behavior of the Top query 'Start' button if a user's query returns no data
    • Added stable sorting for table rows
    • Fixed an issue with the order of tables returned from a Top Routes query
    • Added text wrap for paths in the modal for expanded Tap query data
  • Internal
    • Improved the bin/go-run script for the build process so that on failure, all associated background processes are terminated

  💻 Special thanks to @liquidslr for many useful UI and log changes, and to @mmalone and @sourishkrout at @smallstep for collaboration and advice on the Identity system!

• v19.3.2 Changes

  • Controller
    • Breaking change Removed support for running the control plane in single-namespace mode, which was severely limited in the number of features it supported due to not having access to cluster-wide resources
    • Updated automatic proxy injection and CLI injection to support overriding inject defaults via pod spec annotations
    • Added a new public API endpoint for fetching control plane configuration
  • CLI
    • Breaking change Removed the --api-port flag from the inject and install commands, since there's no benefit to running the control plane's destination API on a non-default port (thanks, @paranoidaditya)
    • Introduced the linkerd metrics command for fetching proxy metrics
    • Updated the linkerd routes command to display rows for routes that are not receiving any traffic
    • Updated the linkerd dashboard command to serve the dashboard on a fixed port, allowing it to leverage browser local storage for user settings
  • 💻 Web UI
    • New Added a Community page to surface news and updates from linkerd.io
    • Fixed a quoting issue with service profile downloads (thanks, @liquidslr!)
    • Added a Grafana dashboard and web tables for displaying Job stats (thanks, @Pothulapati!)
    • Updated sorting of route table to move default routes to the bottom
    • Added TCP stat tables on the namespace landing page and resource detail page

• v19.3.1 Changes

  • CLI
    • Introduced a check for NET_ADMIN in linkerd check
    • Fixed permissions check for CRDs
    • Included kubectl version check as part of linkerd check (thanks @yb172!)
    • Added TCP stats to the stat command, under the -o wide and -o json flags
  • Controller
    • Updated the mutatingwebhookconfiguration so that it is recreated when the proxy injector is restarted, so that the MWC always picks up the latest config template during version upgrade
  • Proxy
    • Increased the inbound/router cap on MAX_CONCURRENT_STREAMS
    • The l5d-remote-ip header is now set on inbound requests and outbound responses
  • 💻 Web UI
    • Fixed sidebar not updating when resources were added/deleted (thanks @liquidslr!)
    • Added filter functionality to the metrics tables
  • Internal
    • Added more log errors to the integration tests
    • Removed the GOPATH dependence from the CLI dev environment
    • Consolidated injection code from CLI and admission controller code paths

• « First
• ‹ Prev
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21
• 22
• Next ›
• Last »