linkerd2

edge-21.1.1

This edge release introduces a new "opaque transport" feature that allows the
proxy to securely transport server-speaks-first and otherwise opaque TCP
traffic. Using the config.linkerd.io/opaque-ports annotation on pods and
namespaces, users can configure ports that should skip the proxy's protocol
detection.

Additionally, a new linkerd-viz extension has been introduced that separates
the installation of the Grafana, Prometheus, web, and tap components. This
extension closely follows the Jaeger and multicluster extensions; users can
install and uninstall with the linkerd viz .. command as well as configure
for HA with the --ha flag.

The linkerd viz install command does not have any cli flags to customize the
install directly, but instead follows the Helm way of customization by using
flags such as set, set-string, values, set-files.

Finally, a new /shutdown admin endpoint that may only be accessed over the
loopback network has been added. This allows batch jobs to gracefully terminate
the proxy on completion. The linkerd-await utility can be used to automate
this.

• Added a new linkerd multicluster check command to validate that the
  linkerd-multicluster extension is working correctly
• Fixed description in the linkerd edges command (thanks @jsoref!)
• Moved the Grafana, Prometheus, web, and tap components into a new Viz chart,
  following the same extension model that multicluster and Jaeger follow
• Introduced a new "opaque transport" feature that allows the proxy to securely
  transport server-speaks-first and otherwise opaque TCP traffic
• Removed the check comparing the ca.crt field in the identity issuer secret
  and the trust anchors in the Linkerd config; these values being different is
  not a failure case for the linkerd check command (thanks @cypherfox!)
• Removed the Prometheus check from the linkerd check command since it now
  depends on a component that is installed with the Viz extension
• Fixed error messages thrown by the cert checks in linkerd check (thanks
  @pradeepnnv!)
• Added PodDisruptionBudgets to the control plane components so that they cannot
  be all terminated at the same time during disruptions (thanks @tustvold!)
• Fixed an issue that displayed the wrong linkerd.io/proxy-version when it is
  overridden by annotations (thanks @mateiidavid!)
• Added support for custom registries in the linkerd-viz helm chart (thanks
  @jimil749!)
• Renamed proxy-mutator to jaeger-injector in the linkerd-jaeger extension
• Added a new /shutdown admin endpoint that may only be accessed over the
  loopback network allowing batch jobs to gracefully terminate the proxy on
  completion
• Introduced the linkerd identity command, used to fetch the TLS certificates
  for injected pods (thanks @jimil749)
• Fixed an issue with the CNI plugin where it was incorrectly terminating and
  emitting error events (thanks @mhulscher!)
• Re-added support for non-LoadBalancer service types in the
  linkerd-multicluster extension

edge-20.12.4

This edge release adds support for the config.linkerd.io/opaque-ports
annotation on pods and namespaces, to configure ports that should skip the
proxy's protocol detection. In addition, it adds new CLI commands related to the
linkerd-jaeger extension, fixes bugs in the CLI install and upgrade
commands and Helm charts, and fixes a potential false positive in the proxy's
HTTP protocol detection. Finally, it includes improvements in proxy performance
and memory usage, including an upgrade for the proxy's dependency on the Tokio
async runtime.

• Added support for the config.linkerd.io/opaque-ports annotation on pods and
  namespaces, to indicate to the proxy that some ports should skip protocol
  detection
• Fixed an issue where linkerd install --ha failed to honor flags
• Fixed an issue where linkerd upgrade --ha can override existing configs
• Added missing label to the linkerd-config-overrides secret to avoid breaking
  upgrades performed with the help of kubectl apply --prune
• Added a missing icon to Jaeger Helm chart
• Added new linkerd jaeger check CLI command to validate that the
  linkerd-jaeger extension is working correctly
• Added new linkerd jaeger uninstall CLI command to print the linkerd-jaeger
  extension's resources so that they can be piped into kubectl delete
• Fixed an issue where the linkerd-cni daemgitonset may not be installed on all
  intended nodes, due to missing tolerations to the linkerd-cni Helm chart
  (thanks @rish-onesignal!)
• Fixed an issue where the tap APIServer would not refresh its certs
  automatically when provided externally—like through cert-manager
• Changed the proxy's cache eviction strategy to reduce memory consumption,
  especially for busy HTTP/1.1 clients
• Fixed an issue in the proxy's HTTP protocol detection which could cause false
  positives for non-HTTP traffic
• Increased the proxy's default dispatch timeout to 5 seconds to accomodate
  connection pools which might open conenctions without immediately making a
  request
• Updated the proxy's Tokio dependency to v0.3

edge-20.12.3

This edge release is functionally the same as edge-20.12.2. It fixes an issue
that prevented the release build from occurring.

Warning: there is a known issue where upgrading to this release with the --prune flag as described in the Linkerd Upgrade documentation will delete certain Linkerd configuration and prevent you from performing any subsequent upgrades. It is highly recommended that you skip this version and instead upgrade directly to stable-2.9.3 or later. If you have already upgraded to this version, you can repair your installation by upgrading your CLI to stable-2.9.3 and using the linkerd repair command.

stable-2.9.1

This stable release contains a number of proxy enhancements: better support for
high-traffic workloads, improved performance by eliminating unnecessary endpoint
resolutions for TCP traffic and properly tearing down serverside connections
when errors occur, and reduced memory consumption on proxies which maintain many
idle connections (such as Prometheus' proxy).

On the CLI and control plane sides, it relaxes checks on root and intermediate
certificates (following X509 best practices), and fixes two issues: one that
prevented installation of the control plane into a custom namespace and one
which failed to update endpoint information when a headless service was
modified.

• Proxy:

  • Addressed some issues reported around clients seeing max-concurrency errors
    by increasing the default in-flight request limit to 100K pending requests
  • Reduced the default idle connection timeout to 5s for outbound clients and
    for inbound clients to reduce the proxy's memory footprint, especially on
    Prometheus instances
  • Fixed an issue where the proxy did not receive updated endpoint information
    when a headless service was modified
  • Added HTTP/2 keepalive PING frames
  • Removed logic to avoid redundant TCP endpoint resolution
  • Fixed an issue where serverside connections were not torn down when an error
    occurred

• CLI / Helm / Control Plane:

  • Fixed a CLI issue where the linkerd-namespace flag was not honored when
    passed to the install and upgrade commands
  • Fixed installing HA through the CLI (linkerd install --ha) that wasn't
    honoring some of the default settings found in values-ha.yml
  • Force the webhook pods (proxy-injector, sp-validator and tap) to be
    restarted when upgrading through the CLI, if a secret they rely on changes
  • Fixed multicluster installation using Helm (thanks @DaspawnW!)
  • Updated linkerd check so that it doesn't attempt to validate the subject
    alternative name (SAN) on root and intermediate certificates. SANs for leaf
    certificates will continue to be validated
  • Fixed an issue in the destination service where endpoints always included a
    protocol hint, regardless of the controller label being present or not
  • Removed the get and logs command from the CLI
  • No longer panic in rare cases when linkerd-config doesn't have an entry
    for Global configs (thanks @hodbn!)

edge-20.12.1

This edge release continues the work of decoupling non-core Linkerd components
by moving more tracing related functionality into the Linkerd-jaeger extension.

• Continued work on moving tracing functionality from the main control plane
  into the linkerd-jaeger extension
• Fixed a potential panic in the proxy when looking up a socket's peer address
  while under high load
• Added automatic readme generation for charts (thanks @GMarkfjard!)
• Fixed zsh completion for the CLI (thanks @jiraguha!)
• Added support for multicluster gateways of types other than LoadBalancer
  (thanks @DaspawnW!)

edge-20.11.5

This edge release improves the proxy's support for high-traffic workloads. It also
contains the first steps towards decoupling non-core Linkerd components, the
first iteration being a new linkerd jaeger sub-command for installing tracing.
Please note this is still a work in progress.

• Addressed some issues reported around clients seeing max-concurrency errors by
  increasing the default in-flight request limit to 100K pending requests
• Have the proxy appropriately set content-type when synthesizing gRPC error
  responses
• Bumped the proxy-init image to v1.3.8 which is based off of
  buster-20201117-slim to reduce potential security vulnerabilities
• No longer panic in rare cases when linkerd-config doesn't have an entry for
  Global configs (thanks @hodbn!)
• Work in progress: the /jaeger directory now contains the charts and commands
  for installing the tracing component.

edge-20.11.4

• Fixed an issue in the destination service where endpoints always included a
  protocol hint, regardless of the controller label being present or not

edge-20.11.3

This edge release improves support for CNI by properly handling parameters
passed to the nsenter command, relaxes checks on root and intermediate
certificates (following X509 best practices), and fixes two issues: one that
prevented installation of the control plane into a custom namespace and one
which failed to update endpoint information when a headless service is modified.
This release also improves linkerd proxy performance by eliminating unnecessary
endpoint resolutions for TCP traffic and properly tearing down serverside
connections when errors occur.

• Added HTTP/2 keepalive PING frames
• Removed logic to avoid redundant TCP endpoint resolution
• Fixed an issue where serverside connections were not torn down when an error
  occurs
• Updated linkerd check so that it doesn't attempt to validate the subject
  alternative name (SAN) on root and intermediate certificates. SANs for leaf
  certificates will continue to be validated
• Fixed a CLI issue where the linkerd-namespace flag is not honored when
  passed to the install and upgrade commands
• Fixed an issue where the proxy does not receive updated endpoint information
  when a headless service is modified
• Updated the control plane Docker images to use buster-20201117-slim to
  reduce potential security vulnerabilities
• Updated the proxy-init container to v1.3.7 which fixes CNI issues in certain
  environments by properly parsing nsenter args

edge-20.11.2

This edge release reduces memory consumption of Linkerd proxies which maintain
many idle connections (such as Prometheus). It also removes some obsolete
commands from the CLI and allows setting custom annotations on multicluster
gateways.

• Reduced the default idle connection timeout to 5s for outbound clients and
  20s for inbound clients to reduce the proxy's memory footprint, especially on
  Prometheus instances
• Added support for setting annotations on the multicluster gateway in Helm
  which allows setting the load balancer as internal (thanks @shaikatz!)
• Removed the get and logs command from the CLI

Warning: there is a known issue where upgrading to this release with the --prune flag as described in the Linkerd Upgrade documentation will delete certain Linkerd configuration and prevent you from performing any subsequent upgrades. It is highly recommended that you skip this version and instead upgrade directly to stable-2.9.3 or later. If you have already upgraded to this version, you can repair your installation by upgrading your CLI to stable-2.9.3 and using the linkerd repair command.

stable-2.9.0

This release extends Linkerd's zero-config mutual TLS (mTLS) support to all TCP
connections, allowing Linkerd to transparently encrypt and authenticate all TCP
connections in the cluster the moment it's installed. It also adds ARM support,
introduces a new multi-core proxy runtime for higher throughput, adds support
for Kubernetes service topologies, and lots, lots more, as described below:

(For upgrade instructions please check the docs)

• Proxy

  • Performed internal improvements for lower latencies under high concurrency
  • Reduced performance impact of logging, especially when the debug or
    trace log levels are disabled
  • Improved error handling for DNS errors encountered when discovering control
    plane addresses; this can be common during installation before all
    components have been started, allowing linkerd to continue to operate
    normally in HA during node outages

• Control Plane

  • Added support for topology-aware service
    routing
    to the Destination controller; when providing service discovery updates to
    proxies the Destination controller will now filter endpoints based on the
    service's topology preferences
  • Added support for the new Kubernetes
    EndpointSlice
    resource to the Destination controller; Linkerd can be installed with
    --enable-endpoint-slices flag to use this resource rather than the
    Endpoints API in clusters where this new API is supported

• Dashboard

  • Added new Spanish translations (please help us translate into your
    language!)
  • Added new section for exposing multicluster gateway metrics

• CLI

  • Renamed the --addon-config flag to --config to clarify this flag can be
    used to set any Helm value
  • Added fish shell completions to the linkerd command

• Multicluster

  • Replaced the single service-mirror controller with separate controllers
    that will be installed per target cluster through linkerd multicluster link
  • Changed the mechanism for mirroring services: instead of relying on
    annotations on the target services, now the source cluster should specify
    which services from the target cluster should be exported by using a label
    selector
  • Added support for creating multiple service accounts when installing
    multicluster with Helm to allow more granular revocation
  • Added a multicluster unlink command for removing multicluster links

• Prometheus

  • Moved Linkerd's bundled Prometheus into an add-on (enabled by default); this
    makes the Linkerd Prometheus more configurable, gives it a separate upgrade
    lifecycle from the rest of the control plane, and allows users to
    disable the bundled Prometheus instance
  • The long-awaited Bring-Your-Own-Prometheus case has been finally addressed:
    added global.prometheusUrl to the Helm config to have linkerd use an
    external Prometheus instance instead of the one provided by default
  • Added an option to persist data to a volume instead of memory, so that
    historical metrics are available when Prometheus is restarted
  • The helm chart can now configure persistent storage and limits

• Other

  • Added a new linkerd.io/inject: ingress annotation and accompanying
    --ingress flag to the inject command, to configure the proxy to support
    service profiles and enable per-route metrics and traffic splits for HTTP
    ingress controllers
  • Changed the type of the injector and tap API secrets to kubernetes.io/tls
    so they can be provisioned by cert-manager
  • Changed default docker image repository to ghcr.io from gcr.io; Users
    who pull the images into private repositories should take note of this
    change
  • Introduced support for authenticated docker registries
  • Simplified the way that Linkerd stores its configuration; configuration is
    now stored as Helm values in the linkerd-config ConfigMap
  • Added support for Helm configuration of per-component proxy resources
    requests

This release includes changes from a massive list of contributors. A special
thank-you to everyone who helped make this release possible:
Abereham G Wodajie, Alexander Berger, Ali Ariff, Arthur Silva Sens, Chris Campbell,
Daniel Lang, David Tyler, Desmond Ho, Dominik Münch, George Garces, Herrmann Hinz,
Hu Shuai, Jeffrey N. Davis, Joakim Roubert, Josh Soref, Lutz Behnke, MaT1g3R,
Marcus Vaal, Markus, Matei David, Matt Miller, Mayank Shah, Naseem, Nil, OlivierB,
Olukayode Bankole, Paul Balogh, Rajat Jindal, Raphael Taylor-Davies, Simon Weald,
Steve Gray, Suraj Deshmukh, Tharun Rajendran, Wei Lun, Zhou Hao, ZouYu, aimbot31,
iohenkies, memory and tbsoares

edge-20.11.1

This edge supersedes edge-20.10.6 as a release candidate for stable-2.9.0.

• Fixed issue where the check command would error when there is no Prometheus
  configured
• Fixed recent regression that caused multicluster on EKS to not work properly
• Changed the check command to warn instead of error when webhook certificates
  are near expiry
• Added the --ingress flag to the inject command which adds the recently
  introduced linkerd.io/inject: ingress annotation
• Fixed issue with upgrades where external certs would be fetched and stored
  even though this does not happen on fresh installs with externally created
  certs
• Fixed issue with upgrades where the issuer cert expiration was being reset
• Removed the --registry flag from the multicluster install command
• Removed default CPU limits for the proxy and control plane components in HA
  mode

edge-20.10.6

This edge supersedes edge-20.10.5 as a release candidate for stable-2.9.0. It
adds a new linkerd.io/inject: ingress annotation to support service profiles
and enable per-route metrics and traffic splits for HTTP ingress controllers

• Added a new linkerd.io/inject: ingress annotation to configure the
  proxy to support service profiles and enable per-route metrics and traffic
  splits for HTTP ingress controllers
• Reduced performance impact of logging in the proxy, especially when the
  debug or trace log levels are disabled
• Fixed spurious warnings logged by the linkerd profile CLI command

edge-20.10.5

This edge supersedes edge-20.10.4 as a release candidate for stable-2.9.0. It
adds a fix for updating the destination service when there are no endpoints

• Added a fix to clear the EndpointTranslator state when it gets a
  NoEndpoints message. This ensures that the clients get the correct set of
  endpoints during an update.

edge-20.10.4

This edge release is a release candidate for stable-2.9.0. For the proxy, there
have been changes to improve performance, remove unused code, and configure
ports that can be ignored by default. Also, this edge release adds enhancements
to the multicluster configuration and observability, adds more translations to
the dashboard, and addresses a bug in the CLI.

• Added more Spanish translations to the dashboard and more labels that can be
  translated
• Added support for creating multiple service accounts when installing
  multicluster with Helm to allow more granular revocation
• Renamed global.proxy.destinationGetNetworks to global.clusterNetworks.
  This is a cluster-wide setting and can no longer be overridden per-pod
• Fixed an empty multicluster Grafana graph which used a deprecated label
• Added the control plane tracing ServiceAccounts to the linkerd-psp
  RoleBinding so that it can be used in environments where PodSecurityPolicy
  is enabled
• Enhanced EKS support by adding 100.64.0.0/10 to the set of discoverable
  networks
• Fixed a bug in the way that the --all-namespaces flag is handled by the
  linkerd edges command
• Added a default set of ports to bypass the proxy for server-first, https,
  and memcached traffic

edge-20.10.3

This edge release is a release candidate for stable-2.9.0. It overhauls the
discovery and routing logic implemented by the proxy, simplifies the way that
Linkerd stores configuration, and adds new Helm values to configure additional
labels, annotations, and namespace selectors for webhooks.

• Added podLabels and podAnnotations Helm values to allow adding additional
  labels or annotations to Linkerd control plane pods (thanks @tustvold!)
• Added namespaceSelector Helm value for configuring the namespace selector
  used by admission webhooks (thanks @tustvold!)
• Expanded the 'linkerd edges' command to show TCP connections
• Overhauled the discovery and routing logic implemented by the proxy:
  • The l5d-dst-override header is no longer honored
  • When the application attempts to connect to a pod IP, the proxy no
    longer load balances these requests among all pods in the service.
    The proxy will now honor session-stickiness as selected by an
    application-level load balancer
  • TrafficSplits are only applied when a client targets a service's IP
  • The proxy no longer performs DNS "canonicalization" to translate
    relative host header names to a fully-qualified form
• Simplified the way that Linkerd stores its configuration. Configuration is
  now stored as Helm values in the linkerd-config ConfigMap
• Renamed the --addon-config flag to --config to clarify this flag can be used
  to set any Helm value

edge-20.10.2

This edge release adds more improvements for mTLS for all TCP traffic.
It also includes significant internal improvements to the way Linkerd
configuration is stored within the cluster.

• Changed TCP metrics exported by the proxy to ensure that peer
  identities are encoded via the client_id and server_id labels.
• Removed the dependency of control plane components on linkerd-config
• Updated the data structure proxy-injector uses to derive the configuration
  used when injecting workloads

edge-20.10.1

This edge release includes a couple of external contributions towards
improved cert-manager support and Grafana charts fixes, among other
enhancements.

• Changed the type of the injector and tap API secrets to kubernetes.io/tls,
  so they can be provisioned by cert-manager (thanks @cypherfox!)
• Fixed the "Kubernetes cluster monitoring" Grafana dashboard that had a few
  charts with incomplete data (thanks @aimbot31!)
• Fixed the service-mirror multicluster component so that it retries
  connections to the target cluster's Kubernetes API when it's not reachable,
  instead of blocking
• Increased the proxy's default timeout for DNS resolution to 500ms, as there
  were reports that 100ms was too restrictive

edge-20.9.4

This edge release introduces support for authenticated docker registries and
fixes a recent multicluster regression.

• Fixed a regression in multicluster gateway configurations that would forbid
  inbound gateway traffic
• Upgraded bundled Grafana to v7.1.5
• Enabled Jaeger receiver in collector configuration in Helm chart (thanks
  @olivierboudet!)
• Fixed skip port configuration being skipped in CNI plugin
• Introduced support for authenticated docker registries (thanks @c-n-c!)

edge-20.9.3

This edge release includes fixes and updates for the control plane and CLI.

• Added --dest-cni-bin-dir flag to the linkerd install-cni command, to
  configure the directory on the host where the CNI binary will be placed
• Removed collector.name and jaeger.name config fields from the tracing
  addon
• Updated Jaeger to 1.19.2
• Fixed a warning about deprecated Go packages in controller container logs

edge-20.9.2

This edge release continues the work of adding support for mTLS for all TCP
traffic and changes the default container registry to ghcr.io from gcr.io.

If you are upgrading from stable-2.8.x with the Linkerd CLI using the
linkerd upgrade command, you must add the --addon-overwrite flag to ensure
that the grafana image is properly set.

• Removed the default timeout for ServiceProfiles so that ServiceProfile routes
  behave the same as when there is no ServiceProfile definition
• Changed default docker image repository to ghcr.io from gcr.io. Users who
  pull the images into private repositories should take note of this change
• Added endpoint labels to outbound TCP metrics to provide more context and
  detail for the metrics, add load balancing to TCP connections
  (bypassing kube-proxy), and secure the connection with mTLS when both
  endpoints are meshed
• Made unnamed ServiceProfile discovery configurable using the
  proxy.destinationGetNetworks variable to set the
  LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS variable in the proxy chart
  template
• Added TLS certificate validation for the Injector, SP Validator, and Tap
  webhooks to the linkerd check command