All Versions
243
Latest Version
Avg Release Cycle
6 days
Latest Release
-

Changelog History
Page 22

  • v2.12.0 Changes

    ๐Ÿš€ This release introduces route-based policy to Linkerd, allowing users to define and enforce authorization policies based on HTTP routes in a fully zero-trust way. These policies are built on Linkerd's strong workload identities, secured ๐Ÿ”ง by mutual TLS, and configured using types from the Kubernetes Gateway API.

    ๐Ÿš€ The 2.12 release also introduces optional request logging ("access logging" ๐Ÿ‘ after its name in webservers), optional support for iptables-nft, and a host ๐ŸŽ of other improvements and performance enhancements.

    โž• Additionally, the linkerd-smi extension is now required to use TrafficSplit, โšก๏ธ and the installation process has been updated to separate management of the ๐Ÿ”— Linkerd CRDs from the main installation process. With the CLI, you'll need to linkerd install --crds before running linkerd install; with Helm, you'll install the new linkerd-crds chart, then the linkerd-control-plane chart. These charts are now versioned using SemVer independently ๐Ÿš€ of Linkerd releases. For more information, see the [upgrade โฌ†๏ธ notes][upgrade-2120].

    โฌ†๏ธ Upgrade notes: Please see the [upgrade instructions][upgrade-2120].

    • Proxy

      • Added a config.linkerd.io/shutdown-grace-period annotation to limit the duration that the proxy may wait for graceful shutdown
      • Added a config.linkerd.io/access-log annotation to enable logging of workload requests
      • Added a new iptables-nft mode for the proxy-init initContainer
      • Added support for non-HTTP traffic forwarding within the mesh in ingress mode
      • Added the /env.json log diagnostic endpoint
      • Added a new process_uptime_seconds_total metric to track proxy uptime in seconds
      • Added support for dynamically discovering policies for ports that are not documented in a pod's containerPorts
      • Added support for route-based inbound HTTP metrics (route_group/route_kind/route_name)
      • Added a new annotation to configure skipping subnets in the init container (config.linkerd.io/skip-subnets), needed e.g. in Docker-in-Docker workloads (thanks @michaellzc!)
    • Control Plane

      • Added support for per-route policy by supporting AuthorizationPolicy resources which can target HttpRoute or Server resources
      • Added support for bound service account token volumes for the control plane and injected workloads
      • Removed kube-system exclusions from watchers to fix service discovery for workloads in the kube-system namespace (thanks @JacobHenner!)
      • Updated healthcheck to ignore Terminated state for pods (thanks @AgrimPrasad!)
      • Updated the default policy controller log level to info; the controller will now emit INFO level logs for some of its dependencies
      • Added probe authorization by default, allowing clusters that use a default deny policy to not explicitly need to authorize probes
      • Fixed an issue where the proxy-injector would break when using nodeAffinity values for the control plane
      • Fixed an issue where certain control plane components were not restarting as necessary after a trust root rotation
      • Removed SMI functionality in the default Linkerd installation; this is now part of the linkerd-smi extension
    • CLI

      • Fixed the linkerd check command crashing when unexpected pods are found in a Linkerd namespace
      • Updated the linkerd authz command to support AuthorizationPolicy and HttpRoute resources
      • Updated linkerd check to allow RSA signed trust anchors (thanks @danibaeyens!)
      • linkerd install --crds must be run before linkerd install
      • linkerd upgrade --crds must be run before linkerd upgrade
      • Fixed invalid yaml syntax in the viz extension's tap-injector template (thanks @wc-s!)
      • Fixed an issue where the --default-inbound-policy setting was not being respected
      • Added support for AuthorizationPolicy and HttpRoute to viz authz command
      • Added support for AuthorizationPolicy and HttpRoute to viz stat command
      • Added support for policy metadata in linkerd viz tap
    • Helm

      • Split the linkerd2 chart into linkerd-crds and linkerd-control-plane
      • Charts are now versioned using SemVer independently of Linkerd releases
      • Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)
      • Changed the proxy.await Helm value so that users can now disable linkerd-await on control plane components
      • Added the policyController.probeNetworks Helm value for configuring the networks that probes are expected to be performed from
    • Extensions

      • Added annotations to allow Linkerd extension deployments to be evicted by the autoscaler when necessary
      • Added ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode
      • Added a ServiceAccount token Secret to the multicluster extension to support Kubernetes versions >= v1.24

    ๐Ÿš€ This release includes changes from a massive list of contributors, including engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and ๐Ÿš€ others. A special thank-you to everyone who helped make this release possible:

    Agrim Prasad @AgrimPrasad Ahmed Al-Hulaibi @ahmedalhulaibi Aleksandr Tarasov @aatarasoff Alexander Berger @alex-berger Ao Chen @chenaoxd Badis Merabet @badis Bjรธrn @Crevil Brian Dunnigan @bdun1013 Christian Schlotter @chrischdi Dani Baeyens @danibaeyens David Symons @multimac Dmitrii Ermakov @ErmakovDmitriy Elvin Efendi @ElvinEfendi Evan Hines @evan-hines-firebolt Eng Zer Jun @Juneezee Gustavo Fernandes de Carvalho @gusfcarvalho Harry Walter @haswalt Israel Miller @imiller31 Jack Gill @jackgill Jacob Henner @JacobHenner Jacob Lorenzen @Jaxwood Joakim Roubert @joakimr-axis Josh Ault @jault-figure Joรฃo Soares @jasoares jtcarnes @jtcarnes Kim Christensen @kichristensen Krzysztof Dryล› @krzysztofdrys Lior Yantovski @lioryantov Martin Anker Have @mahlunar Michael Lin @michaellzc Michaล‚ Romanowski @michalrom089 Naveen Nalam @nnalam Nick Calibey @ncalibey Nikola Brdaroski @nikolabrdaroski Or Shachar @or-shachar Pรฅl-Magnus Slรฅtto @dev-slatto Raman Gupta @rocketraman Ricardo Gรขndara Pinto @rmgpinto Roberth Strand @roberthstrand Sankalp Rangare @sankalp-r Sascha Grunert @saschagrunert Steve Gray @steve-gray Steve Zhang @zhlsunshine Takumi Sue @mikutas Tanmay Bhat @tanmay-bhat Tรกskai Dominik @dtaskai Ujjwal Goyal @importhuman Weichung Shaw @wc-s Wim de Groot @wim-de-groot Yannick Utard @utay Yurii Dzobak @yuriydzobak ็ฝ—ๆณฝ่ฝฉ @spacewander

    โฌ†๏ธ [upgrade-2120]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2120

  • v2.12.0-rc2 Changes

    ๐Ÿš€ This release is the second release candidate for stable-2.12.0.

    At this point the Helm charts can be retrieved from the stable repo:

    helm repo add linkerd https://helm.linkerd.io/stable
    helm repo up
    helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
    helm install linkerd-control-plane \
      -n linkerd \
      --set-file identityTrustAnchorsPEM=ca.crt \
      --set-file identity.issuer.tls.crtPEM=issuer.crt \
      --set-file identity.issuer.tls.keyPEM=issuer.key \
      linkerd/linkerd-control-plane
    

    The following lists all the changes since edge-22.8.2:

    • ๐Ÿ›  Fixed inheritance of the linkerd.io/inject annotation from Namespace to Workloads when its value is ingress
    • โž• Added the config.linkerd.io/default-inbound-policy: all-authenticated annotation to linkerd-multiclusterโ€™s Gateway deployment so that all clients are required to be authenticated
    • โž• Added a ReadHeaderTimeout of 10s to all the go http.Server instances, to avoid being vulnerable to "slowrolis" attacks
    • โž• Added check in linkerd viz check --proxy to warn in case namespace have the config.linkerd.io/default-inbound-policy: deny annotation, which would not authorize scrapes coming from the linkerd-viz Prometheus instance
    • โž• Added validation for accepted values for the --default-inbound-policy flag
    • ๐Ÿ›  Fixed invalid URL in the linkerd install --help output
    • โž• Added --destination-pod flag to linkerd diagnostics endpoints subcommand
    • โž• Added proxyInit.runAsUser in values.yaml defaulting to non-zero, to complement the new default proxyInit.runAsRoot: false that was rencently changed
  • v2.11.0 Changes

    ๐Ÿš€ This release introduces access control policies. Default policies may be ๐Ÿ”ง configured at the cluster- and workspace-levels; and fine grained policies may be instrumented via the new policy.linkerd.io/v1beta1 CRDs: Server and ServerAuthorization. These resources may be created to define how individual ๐Ÿ— ports accept connections; and the Server resource will be a building block for ๐Ÿ”ง future features that configure inbound proxy behavior.

    ๐Ÿ”ง Furthermore, ServiceProfile retry configurations can now instrument retries for requests with bodies. This unlocks retry behavior for gRPC services.

    โฌ†๏ธ Upgrade notes: Please see the [upgrade instructions][upgrade-2110].

    • Proxy

      • Reduced CPU & Memory usage by up to 30% in some load tests
      • Updated retries to support requests with bodies up to 64KB. ServiceProfiles may now configure retries for gRPC services
      • The proxy's container image is now based on gcr.io/distroless/cc to contain a minimal OS footprint that should not trigger unnecessary alerts in security scanners
      • Added the inbound_http_errors_total and outbound_http_errors_total metrics to reflect errors that caused the proxy to respond with errors
      • Added an l5d-proxy-error header that is included on responses on trusted connections for debugging purposes
      • Added a l5d-client-id header on mutually-authenticated inbound requests so that applications can discover the client's identity
      • Added metrics to reflect TCP and HTTP authorization decisions
      • Added srv_name and saz_name labels to inbound HTTP metrics
      • Fixed an issue that could cause the proxy to continually reconnect to defunct service endpoints
      • Dropped support for non-HTTP outbound services when linkerd.io/inject: ingress is used
      • Instrumented fuzz testing to help guard against unexpected panics
    • Control Plane

      • Added a new policy-controller container to the linkerd-destination pod--the first control plane component implemented in Rust
      • Added a new admission controller to validate that multiple Server resources do not reference the same port
      • Added a linkerd-identity-trust-roots ConfigMap which configures the trust root bundle for all pods in the core control plane namespace
      • Eliminated the linkerd-controller deployment so that Linkerd's core control plane now consists of only 3 deployments
      • Updated the proxy injector to configure the proxy-init container with NET_RAW and NET_ADMIN capabilities so that the container does not fail when the pod drops these capabilities
    • CLI

      • Enhanced linkerd completion to expand Kubernetes resources from the current kubectl context
      • Added an authz subcommand to display the authorization policies that impact a workload
      • Added a short output mode for linkerd check that only prints failed checks
      • Added support for ReplicaSets to linkerd stat so that pods created by Argo Rollout resources can be inspected
    • โฌ†๏ธ Helm: please see the [upgrade instructions][upgrade-2110].

    • Extensions:

      • Introduced a new (optional) SMI extension responsible for reading specs.smi-spec.io resources and converting them to Linkerd resources
      • In stable-2.12, this extension will be required to use TrafficSplit resources with Linkerd
      • Added an extensions page to the Linkerd Web UI
      • Viz
      • Added Server and ServerAuthorization resources for all ports
      • Added JSON log formatting
      • Jaeger
      • Added OpenTelemetry collector instead of OpenCensus
      • Multicluster
      • Added experimental support for StatefulSet workloads

    ๐Ÿš€ This release includes changes from a massive list of contributors. A special ๐Ÿš€ thank-you to everyone who helped make this release possible:

    Gustavo Fernandes de Carvalho @gusfcarvalho Oleg Vorobev @olegy2008 Bart Peeters @bartpeeters Stepan Rabotkin @EpicStep LiuDui @xichengliudui Andrew Hemming @drewhemm Ujjwal Goyal @importhuman Knut Gรถtz @knutgoetz Sanni Michael @sannimichaelse Brandon Sorgdrager @bsord Gerald Pape @ubergesundheit Alexey Kostin @rumanzo rdileep13 @rdileep13 Takumi Sue @mikutas Akshit Grover @akshitgrover Sanskar Jaiswal @aryan9600 Aleksandr Tarasov @aatarasoff Taylor @skinn Miguel รngel Pastor Olivar @migue wangchenglong01 @wangchenglong01 Josh Soref @jsoref Carol Chen @kipply Peter Smit @psmit Tarvi Pillessaar @tarvip James Roper @jroper Dominik Mรผnch @muenchdo Szymon Gibaล‚a @Szymongib Mitch Hulscher @mhulscher

    โฌ†๏ธ [upgrade-2110]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2110

  • v2.10.1 Changes

    ๐Ÿš€ This stable release adds CLI support for Apple Silicon M1 chips and support for SMI's TrafficSplit v1alpha2.

    ๐Ÿ›  There are several proxy fixes: handling FailedPrecondition errors gracefully, inbound TLS detection from non-meshed workloads, and using the correct cached ๐ŸŒฒ client when the proxy is in ingress mode. The logging infrastructure has also been improved to reduce memory pressure in high-connection environments.

    On the control-plane side, there have been several improvements to the ๐Ÿ‘ destination service such as support for Host IP lookups and ignoring pods โšก๏ธ in "Terminating" state. It also updates the proxy-injector to add opaque ports annotation to pods if their namespace has it set.

    โšก๏ธ On the CLI side, linkerd repair has been updated to be aware about the control-plane ๐Ÿ”– version and suggest the relevant version to generate the right config. Various ๐Ÿ› bugs have been fixed around linkerd identity, etc.

    โฌ†๏ธ Upgrade notes: Please refer 2.10 upgrade instructions โฌ†๏ธ if you are upgrading from 2.9.x or below versions.

    • Proxy:

      • Fixed an issue where proxies could infinitely retry failed requests to the destination controller when it returned a FailedPrecondition
      • The proxy's logging infrastructure has been updated to reduce memory pressure in high-connection environments.
      • Fixed a caching issue in the outbound proxy that would cause it to forward traffic to the wrong pod when running in ingress mode.
      • Fixed an issue where inbound TLS detection from non-meshed workloads could break
      • Fixed an issue where the admin server's HTTP detection would fail and not recover; these are now handled gracefully and without logging warnings
      • Control plane proxies no longer emit warnings about the resolution stream ending. This error was innocuous.
      • Bumped the proxy-init image to v1.3.11 which updates the go version to be 1.16.2
    • Control Plane:

      • Fixed an issue where the destination service would respond with too big of a header and result in http2 protocol errors
      • Fixed an issue where the destination control plane component sometimes returned endpoint addresses with a 0 port number while pods were undergoing a rollout (thanks @riccardofreixo!)
      • Fixed an issue where pod lookups by host IP and host port fail even though the cluster has a matching pod
      • Updated the IP Watcher in destination to ignore pods in "Terminating" state (thanks @Wenliang-CHEN!)
      • Modified the proxy-injector to add the opaque ports annotation to pods if their namespace has it set
      • Added Support for TrafficSplit v1alpha2
      • Updated all the control-plane components to use go 1.16.2.
    • CLI:

      • Fixed an issue where the linkerd identity command returned the root certificate of a pod instead of its leaf certificates
      • Fixed an issue where the destination service would respond with too big of a header and result in http2 protocol errors
      • Updated the release process to build Linkerd CLI binaries for Apple Silicon M1 chips
      • Improved error messaging when trying to install Linkerd on a cluster that already had Linkerd installed
      • Added a loading spinner to the linkerd check command when running extension checks
      • Added installNamespace toggle in the jaeger extension's install. (thanks @jijeesh!)
      • Updated healthcheck pkg to have hintBaseURL configurable, useful for external extensions using that pkg
      • Fixed TCP read and write bytes/sec calculations to group by label based off inbound or outbound traffic
      • Fixed an issue in linkerd inject where the wrong annotation would be added when using --ingress flag
      • Updated linkerd repair to be aware of the client and server versions
      • Updated linkerd uninstall to print error message when there are no resources to uninstall.
    • Helm:

      • Aligned the Helm installation heartbeat schedule to match that of the CLI
    • Viz:

      • Fixed an issue where the topology graph in the dashboard was no longer draggable.
      • Updated dashboard build to use webpack v5
      • Added CA certs to the Viz extension's metrics-api container so that it can validate the certificate of an external Prometheus
      • Removed components from the control plane dashboard that now are part of the Viz extension
      • Changed web's base image from debian to scratch
    • Multicluster:

      • Fixed an issue with Multicluster's service mirror where its endpoint repair retries were not properly rate limited
    • Jaeger:

      • Fixed components in the Jaeger extension to set the correct Prometheus scrape values
  • v2.10.0 Changes

    ๐Ÿš€ This release introduces Linkerd extensions. The default control plane no longer includes Prometheus, Grafana, the dashboard, or several other components that 0๏ธโƒฃ previously shipped by default. This results in a much smaller and simpler set of core functionalities. Visibility and metrics functionality is now available in the Viz extension under the linkerd viz command. Cross-cluster communication functionality is now available in the Multicluster extension under the linkerd multicluster command. Distributed tracing functionality is now available in the Jaeger extension under the linkerd jaeger command.

    ๐Ÿš€ This release also introduces the ability to mark certain ports as "opaque", indicating that the proxy should treat the traffic as opaque TCP instead of attempting protocol detection. This allows the proxy to provide TCP metrics ๐Ÿ‘ and mTLS for server-speaks-first protocols. It also enables support for TCP traffic in the Multicluster extension.

    โฌ†๏ธ Upgrade notes: Please see the upgrade โฌ†๏ธ instructions.

    • Proxy

      • Updated the proxy to use TLS version 1.3; support for TLS 1.2 remains enabled for compatibility with prior proxy versions
      • Improved support for server-speaks-first protocols by allowing ports to be marked as opaque, causing the proxy to skip protocol detection. Ports can be marked as opaque by setting the config.linkerd.io/opaque-ports annotation on the Pod and Service or by using the --opaque-ports flag with linkerd inject
      • Ports 25,443,587,3306,5432,11211 have been removed from the default skip ports; all traffic through those ports is now proxied and handled opaquely by default
      • Fixed an issue that could cause proxies in "ingress mode" (linkerd.io/inject: ingress) to use an excessive amount of memory
      • Improved diagnostic logging around "fail fast" and "max-concurrency exhausted" error messages
      • Added a new /shutdown admin endpoint that may only be accessed over the loopback network allowing batch jobs to gracefully terminate the proxy on completion
    • Control Plane

      • Removed all components and functionality related to visibility, tracing, or multicluster. These have been moved into extensions
      • Changed the identity controller to receive the trust anchor via environment variable instead of by flag; this allows the certificate to be loaded from a config map or secret (thanks @mgoltzsche!)
      • Added PodDisruptionBudgets to the control plane components so that they cannot be all terminated at the same time during disruptions (thanks @tustvold!)
    • CLI

      • Changed the check command to include each installed extension's check output; this allows users to check for proper configuration and installation of Linkerd without running a command for each extension
      • Moved the metrics, endpoints, and install-sp commands into subcommands under the diagnostics command
      • Added an --opaque-ports flag to linkerd inject to easily mark ports as opaque.
      • Added the repair command which will repopulate resources needed for properly upgrading a Linkerd installation
      • Added Helm-style set, set-string, values, set-files customization flags for the linkerd install and linkerd upgrade commands
      • Introduced the linkerd identity command, used to fetch the TLS certificates for injected pods (thanks @jimil749)
      • Removed the get and logs command from the CLI
    • Helm

      • Changed many Helm values, please see the upgrade notes
    • Viz

      • Introduced the linkerd viz subcommand which contains commands for installing the viz extension and all visibility commands
      • Updated the Web UI to only display the "Gateway" sidebar link when the multicluster extension is active
      • Added a linkerd viz list command to list pods with tap enabled
      • Fixed an issue where the tap APIServer would not refresh its certs automatically when provided externallyโ€”like through cert-manager
    • Multicluster

      • Introduced the linkerd multicluster subcommand which contains commands for installing the multicluster extension and all multicluster commands
      • Added support for cross-cluster TCP traffic
      • Updated the service mirror controller to copy the config.linkerd.io/opaque-ports annotation when mirroring services so that cross-cluster traffic can be correctly handled as opaque
      • Added support for multicluster gateways of types other than LoadBalancer (thanks @DaspawnW!)
    • Jaeger

      • Introduced the linkerd jaeger subcommand which contains commands for installing the jaeger extension and all tracing commands
      • Added a linkerd jaeger list command to list pods with tracing enabled

    ๐Ÿš€ This release includes changes from a massive list of contributors. A special ๐Ÿš€ thank-you to everyone who helped make this release possible: Lutz Behnke Bjรถrn Wenzel Filip Petkovski Simon Weald GMarkfjard hodbn Hu Shuai Jimil Desai jiraguha Joakim Roubert Josh Soref Kelly Campbell Matei David Mayank Shah Max Goltzsche Mitch Hulscher Eugene Formanenko Nathan J Mehl Nicolas Lamirault Oleh Ozimok Piyush Singariya Naga Venkata Pradeep Namburi ๐Ÿšฆ rish-onesignal Shai Katz Takumi Sue Raphael Taylor-Davies Yashvardhan Kukreja

  • v2.9.1 Changes

    December 10, 2020

    stable-2.9.1

    ๐Ÿš€ This stable release contains a number of proxy enhancements: better support for
    ๐ŸŽ high-traffic workloads, improved performance by eliminating unnecessary endpoint
    resolutions for TCP traffic and properly tearing down serverside connections
    when errors occur, and reduced memory consumption on proxies which maintain many
    idle connections (such as Prometheus' proxy).

    On the CLI and control plane sides, it relaxes checks on root and intermediate
    ๐Ÿ›  certificates (following X509 best practices), and fixes two issues: one that
    prevented installation of the control plane into a custom namespace and one
    โšก๏ธ which failed to update endpoint information when a headless service was
    modified.

    Proxy:

    • Addressed some issues reported around clients seeing max-concurrency errors
      0๏ธโƒฃ by increasing the default in-flight request limit to 100K pending requests
    • Reduced the default idle connection timeout to 5s for outbound clients and
      ๐Ÿ–จ for inbound clients to reduce the proxy's memory footprint, especially on
      Prometheus instances
    • Fixed an issue where the proxy did not receive updated endpoint information
      when a headless service was modified
    • Added HTTP/2 keepalive PING frames
    • Removed logic to avoid redundant TCP endpoint resolution
    • Fixed an issue where serverside connections were not torn down when an error
      occurred

    CLI / Helm / Control Plane:

    • Fixed a CLI issue where the linkerd-namespace flag was not honored when
      โฌ†๏ธ passed to the install and upgrade commands
    • Fixed installing HA through the CLI (linkerd install --ha) that wasn't
      0๏ธโƒฃ honoring some of the default settings found in values-ha.yml
    • Force the webhook pods (proxy-injector, sp-validator and tap) to be
      โฌ†๏ธ restarted when upgrading through the CLI, if a secret they rely on changes
    • Fixed multicluster installation using Helm (thanks @DaspawnW!)
    • Updated linkerd check so that it doesn't attempt to validate the subject
      alternative name (SAN) on root and intermediate certificates. SANs for leaf
      certificates will continue to be validated
    • Fixed an issue in the destination service where endpoints always included a
      protocol hint, regardless of the controller label being present or not
    • Removed the get and logs command from the CLI
    • No longer panic in rare cases when linkerd-config doesn't have an entry
      for Global configs (thanks @hodbn!)
  • v2.9.0 Changes

    November 06, 2020

    stable-2.9.0

    ๐Ÿš€ This release extends Linkerd's zero-config mutual TLS (mTLS) support to all TCP
    connections, allowing Linkerd to transparently encrypt and authenticate all TCP
    ๐Ÿ‘ connections in the cluster the moment it's installed. It also adds ARM support,
    ๐Ÿ‘ introduces a new multi-core proxy runtime for higher throughput, adds support
    for Kubernetes service topologies, and lots, lots more, as described below:

    โฌ†๏ธ (For upgrade instructions please check the docs)

    Proxy

    • Performed internal improvements for lower latencies under high concurrency
    • Reduced performance impact of logging, especially when the debug or
      ๐ŸŒฒ trace log levels are disabled
    • Improved error handling for DNS errors encountered when discovering control
      plane addresses; this can be common during installation before all
      components have been started, allowing linkerd to continue to operate
      normally in HA during node outages

    Control Plane

    • Added support for topology-aware service
      ๐Ÿ“„ routing

      โšก๏ธ to the Destination controller; when providing service discovery updates to
      proxies the Destination controller will now filter endpoints based on the
      service's topology preferences
    • Added support for the new Kubernetes
      ๐Ÿ“„ EndpointSlice
      resource to the Destination controller; Linkerd can be installed with
      --enable-endpoint-slices flag to use this resource rather than the
      ๐Ÿ‘ Endpoints API in clusters where this new API is supported

    Dashboard

    • Added new Spanish translations (please help us translate into your
      language!)

    - Added new section for exposing multicluster gateway metrics

    CLI

    • Renamed the --addon-config flag to --config to clarify this flag can be
      ๐Ÿ‘‰ used to set any Helm value

    - Added fish shell completions to the linkerd command

    Multicluster

    • Replaced the single service-mirror controller with separate controllers
      that will be installed per target cluster through linkerd multicluster link
    • Changed the mechanism for mirroring services: instead of relying on
      annotations on the target services, now the source cluster should specify
      which services from the target cluster should be exported by using a label
      selector
    • Added support for creating multiple service accounts when installing
      multicluster with Helm to allow more granular revocation

    - Added a multicluster unlink command for removing multicluster links

    Prometheus

    • Moved Linkerd's bundled Prometheus into an add-on (enabled by default); this
      โฌ†๏ธ makes the Linkerd Prometheus more configurable, gives it a separate upgrade
      lifecycle from the rest of the control plane, and allows users to
      disable the bundled Prometheus instance
    • The long-awaited Bring-Your-Own-Prometheus case has been finally addressed:
      โž• added global.prometheusUrl to the Helm config to have linkerd use an
      0๏ธโƒฃ external Prometheus instance instead of the one provided by default
    • Added an option to persist data to a volume instead of memory, so that
      historical metrics are available when Prometheus is restarted

    - The helm chart can now configure persistent storage and limits

    Other

    • Added a new linkerd.io/inject: ingress annotation and accompanying
      ๐Ÿ”ง --ingress flag to the inject command, to configure the proxy to support
      service profiles and enable per-route metrics and traffic splits for HTTP
      ingress controllers
    • Changed the type of the injector and tap API secrets to kubernetes.io/tls
      so they can be provisioned by cert-manager
    • Changed default docker image repository to ghcr.io from gcr.io; Users
      who pull the images into private repositories should take note of this
      ๐Ÿ”„ change

    • Introduced support for authenticated docker registries
    • Simplified the way that Linkerd stores its configuration; configuration is
      now stored as Helm values in the linkerd-config ConfigMap
    • Added support for Helm configuration of per-component proxy resources
      requests

    ๐Ÿš€ This release includes changes from a massive list of contributors. A special
    ๐Ÿš€ thank-you to everyone who helped make this release possible:
    Abereham G Wodajie, Alexander Berger, Ali Ariff, Arthur Silva Sens, Chris Campbell,
    Daniel Lang, David Tyler, Desmond Ho, Dominik Mรผnch, George Garces, Herrmann Hinz,
    Hu Shuai, Jeffrey N. Davis, Joakim Roubert, Josh Soref, Lutz Behnke, MaT1g3R,
    ๐Ÿ‘€ Marcus Vaal, Markus, Matei David, Matt Miller, Mayank Shah, Naseem, Nil, OlivierB,
    Olukayode Bankole, Paul Balogh, Rajat Jindal, Raphael Taylor-Davies, Simon Weald,
    Steve Gray, Suraj Deshmukh, Tharun Rajendran, Wei Lun, Zhou Hao, ZouYu, aimbot31,
    iohenkies, memory and tbsoares

  • v2.8.1 Changes

    ๐Ÿš€ This release fixes multicluster gateways support on EKS.

    • The multicluster service-mirror has been extended to resolve DNS names for target clusters when an IP address is not known.
    • ๐Ÿ”— Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger for providing a fix!
    • Have the service mirror controller check in linkerd check retry on failures.
    • ๐Ÿ As of this version we're including a Chocolatey package (Windows) next to the other binaries in the release assets in GitHub.
    • โšก๏ธ Base images have been updated:
      • debian:buster-20200514-slim
      • grafana/grafana:7.0.3
    • The shell scripts under bin continued to be improved, thanks to @joakimr-axis!
  • v2.8.0 Changes

    ๐Ÿš€ This release introduces new a multi-cluster extension to Linkerd, allowing it to establish connections across Kubernetes clusters that are secure, transparent to the application, and work with any network topology.

    • The CLI has a new set of linkerd multicluster sub-commands that provide tooling to create the resources needed to discover services across Kubernetes clusters.
    • The linkerd multicluster gateways command exposes gateway-specific telemetry to supplement the existing stat and tap commands.
    • 0๏ธโƒฃ The Linkerd-provided Grafana instance remains enabled by default, but it can now be disabled. When it is disabled, the Linkerd dashboard can be configured to link to an alternate, externally-managed Grafana instance.
    • ๐Ÿ”ง Jaeger & OpenCensus are configurable as an [add-on][addon-2.8.0]; and the proxy has been improved to emit spans with labels that reflect its pod's metadata.
    • The linkerd-cni component has been promoted from experimental to stable.
    • linkerd profile --open-api now honors the x-linkerd-retryable and x-linkerd-timeout OpenAPI annotations.
    • The Helm chart continues to become more flexible and modular, with new Prometheus configuration options. More information is available in the Helm chart README.
    • gRPC stream error handling has been improved so that transport errors are indicated to the client with a grpc-status: UNAVAILABLE trailer.
    • ๐Ÿ–จ The proxy's memory footprint could grow significantly when server-speaks-first-protocol connections hit the proxy. Now, a timeout is in place to prevent these connections from consuming resources.
    • After benchmarking the proxy in high-concurrency situations, the inbound proxy has been improved to reduce contention, improving latency and reducing spurious timeouts.
    • The proxy could fail requests to services that had only 1 request every 60 seconds. This race condition has been eliminated.
    • Finally, users reported that ingress misconfigurations could cause the proxy to consume an entire CPU which could lead to timeouts. The proxy now attempts to prevent the most common traffic-loop scenarios to protect against this.

    NOTE: Linkerd's multicluster extension does not yet work on Amazon ๐Ÿš€ EKS. We expect to follow this release with a stable-2.8.1 to address this โšก๏ธ issue. Follow #4582 for updates.

    ๐Ÿš€ This release includes changes from a massive list of contributors. A special ๐Ÿš€ thank-you to everyone who helped make this release possible: @aliariff, @amariampolskiy, @arminbuerkle, @arthursens, @christianhuening, @christyjacob4, @cypherfox, @daxmc99, @dr0pdb, @drholmie, @hydeenoble, @joakimr-axis, @jpresky, @kohsheen1234, @lewiscowper, @lundbird, @matei207, ๐Ÿ‘€ @mayankshah1607, @mmiller1, @naseemkullah, @sannimichaelse, & @supra08.

    ๐Ÿ”ง [addon-2.8.0]: https://github.com/linkerd/linkerd2/blob/4219955bdb5441c5fce192328d3760da13fb7ba1/charts/linkerd2/README.md#add-ons-configuration

  • v2.7.0 Changes

    ๐Ÿš€ This release adds support for integrating Linkerd's PKI with an external certificate issuer such as [cert-manager] as well as streamlining the certificate rotation process in general. For more details about cert-manager ๐Ÿ‘€ and certificate rotation, see the docs. This release also ๐ŸŽ includes performance improvements to the dashboard, reduced memory usage of the proxy, various improvements to the Helm chart, and much much more.

    ๐Ÿš€ To install this release, run: curl https://run.linkerd.io/install | sh

    โฌ†๏ธ Upgrade notes: This release includes breaking changes to our Helm charts. โฌ†๏ธ Please see the upgrade โฌ†๏ธ instructions.

    Special thanks to: @alenkacz, @bmcstdio, @daxmc99, @droidnoob, @ereslibre, @javaducky, @joakimr-axis, @JohannesEH, @KIVagant, @mayankshah1607, @Pothulapati, and @StupidScience!

    ๐Ÿš€ Full release notes:

    • CLI
      • Updated the mTLS trust anchor checks to eliminate false positives caused by extra trailing spaces
      • Reduced the severity level of the Linkerd version checks, so that they don't fail when the external version endpoint is unreachable (thanks @mayankshah1607!)
      • Added a new tap APIService check to aid with uncovering Kubernetes API aggregation layer issues (thanks @droidnoob!)
      • Introduced CNI checks to confirm the CNI plugin is installed and ready; this is done through linkerd check --pre --linkerd-cni-enabled before installation and linkerd check after installation if the CNI plugin is present
      • Added support for the --as-group flag so that users can impersonate groups for Kubernetes operations (thanks @mayankshah1607!)
      • Added HA specific checks to linkerd check to ensure that the kube-system namespace has the config.linkerd.io/admission-webhooks:disabled label set
      • Fixed a problem causing the presence of unnecessary empty fields in generated resource definitions (thanks @mayankshah1607)
      • Added the ability to pass both port numbers and port ranges to --skip-inbound-ports and --skip-outbound-ports (thanks to @javaducky!)
      • Increased the comprehensiveness of linkerd check --pre
      • Added TLS certificate validation to check and upgrade commands
      • Added support for injecting CronJobs and ReplicaSets, as well as the ability to use them as targets in the CLI subcommands
      • Introduced the new flags --identity-issuer-certificate-file, --identity-issuer-key-file and identity-trust-anchors-file to linkerd upgrade to support trust anchor and issuer certificate rotation
      • Added a check that ensures using --namespace and --all-namespaces results in an error as they are mutually exclusive
      • Added a Dashboard.Replicas parameter to the Linkerd Helm chart to allow configuring the number of dashboard replicas (thanks @KIVagant!)
      • Removed redundant service profile check (thanks @alenkacz!)
      • Updated uninject command to work with namespace resources (thanks @mayankshah1607!)
      • Added a new --identity-external-issuer flag to linkerd install that configures Linkerd to use certificates issued by an external certificate issuer (such as cert-manager)
      • Added support for injecting a namespace to linkerd inject (thanks @mayankshah1607!)
      • Added checks to linkerd check --preinstall ensuring Kubernetes Secrets can be created and accessed
      • Fixed linkerd tap sometimes displaying incorrect pod names for unmeshed IPs that match multiple running pods
      • Made linkerd install --ignore-cluster and --skip-checks faster
      • Fixed a bug causing linkerd upgrade to fail when used with --from-manifest
      • Made --cluster-domain an install-only flag (thanks @bmcstdio!)
      • Updated check to ensure that proxy trust anchors match configuration (thanks @ereslibre!)
      • Added condition to the linkerd stat command that requires a window size of at least 15 seconds to work properly with Prometheus
    • Controller
      • Fixed an issue where an override of the Docker registry was not being applied to debug containers (thanks @javaducky!)
      • Added check for the Subject Alternate Name attributes to the API server when access restrictions have been enabled (thanks @javaducky!)
      • Added support for arbitrary pod labels so that users can leverage the Linkerd provided Prometheus instance to scrape for their own labels (thanks @daxmc99!)
      • Fixed an issue with CNI config parsing
      • Fixed a race condition in the linkerd-web service
      • Updated Prometheus to 2.15.2 (thanks @Pothulapati)
      • Increased minimum kubernetes version to 1.13.0
      • Added support for pod ip and service cluster ip lookups in the destination service
      • Added recommended kubernetes labels to control-plane
      • Added the --wait-before-exit-seconds flag to linkerd inject for the proxy sidecar to delay the start of its shutdown process (a huge commit from @KIVagant, thanks!)
      • Added a pre-sign check to the identity service
      • Fixed inject failures for pods with security context capabilities
      • Added conntrack to the debug container to help with connection tracking debugging
      • Fixed a bug in tap where mismatch cluster domain and trust domain caused tap to hang
      • Fixed an issue in the identity RBAC resource which caused start up errors in k8s 1.6 (thanks @Pothulapati!)
      • Added support for using trust anchors from an external certificate issuer (such as cert-manager) to the linkerd-identity service
      • Added support for headless services (thanks @JohannesEH!)
    • Helm
      • Breaking change: Renamed noInitContainer parameter to cniEnabled
      • Breaking Change Updated Helm charts to follow best practices (thanks @Pothulapati and @javaducky!)
      • Fixed an issue with helm install where the lists of ignored inbound and outbound ports would not be reflected
      • Fixed the linkerd-cni Helm chart not setting proper namespace annotations and labels
      • Fixed certificate issuance lifetime not being set when installing through Helm
      • Updated the helm build to retain previous releases
      • Moved CNI template into its own Helm chart
    • Proxy
      • Fixed an issue that could cause the OpenCensus exporter to stall
      • Improved error classification and error responses for gRPC services
      • Fixed a bug where the proxy could stop receiving service discovery updates, resulting in 503 errors
      • Improved debug/error logging to include detailed contextual information
      • Fixed a bug in the proxy's logging subsystem that could cause the proxy to consume memory until the process is OOM killed, especially when the proxy was configured to log diagnostic information
      • Updated proxy dependencies to address RUSTSEC-2019-0033, RUSTSEC-2019-0034, and RUSTSEC-2020-02
    • ๐Ÿ’ป Web UI
      • Fixed an error when refreshing an already open dashboard when the Linkerd version has changed
      • Increased the speed of the dashboard by pausing network activity when the dashboard is not visible to the user
      • Added support for CronJobs and ReplicaSets, including new Grafana dashboards for them
      • Added linkerd check to the dashboard in the /controlplane view
      • Added request and response headers to the tap expanded view in the dashboard
      • Added filter to namespace select button
      • Improved how empty tables are displayed
      • Added Host: header validation to the linkerd-web service, to protect against DNS rebinding attacks
      • Made the dashboard sidebar component responsive
      • Changed the navigation bar color to the one used on the Linkerd website
    • Internal
      • Added validation to incoming sidecar injection requests that ensures the value of linkerd.io/inject is either enabled or disabled (thanks @mayankshah1607)
      • Upgraded the Prometheus Go client library to v1.2.1 (thanks @daxmc99!)
      • Fixed an issue causing tap, injector and sp-validator to use old certificates after helm upgrade due to not being restarted
      • Fixed incomplete Swagger definition of the tap api, causing benign error logging in the kube-apiserver
      • Removed the destination container from the linkerd-controller deployment as it now runs in the linkerd-destination deployment
      • Allowed the control plane to be injected with the debug container
      • Updated proxy image build script to support HTTP proxy options (thanks @joakimr-axis!)
      • Updated the CLI doc command to auto-generate documentation for the proxy configuration annotations (thanks @StupidScience!)
      • Added new --trace-collector and --trace-collector-svc-account flags to linkerd inject that configures the OpenCensus trace collector used by proxies in the injected workload (thanks @Pothulapati!)
      • Added a new --control-plane-tracing flag to linkerd install that enables distributed tracing in the control plane (thanks @Pothulapati!)
      • Added distributed tracing support to the control plane (thanks @Pothulapati!)