edge-24.1.1

This edge release introduces a number of different fixes and improvements. More
notably, it introduces a new cni-repair-controller binary to the CNI plugin
image. The controller will automatically restart pods that have not received
their iptables configuration.

• Removed shortnames from Tap API resources to avoid colliding with existing
  Kubernetes resources (#11816; fixes #11784)
• Introduced a new ExternalWorkload CRD to support upcoming mesh expansion
  feature (#11805)
• Changed MeshTLSAuthentication resource validation to allow SPIFFE URI
  identities (#11882)
• Introduced a new cni-repair-controller to the linkerd-cni DaemonSet to
  automatically restart misconfigured pods that are missing iptables rules
  (#11699; fixes #11073)
• Fixed a "duplicate metrics" warning in the multicluster service-mirror
  component (#11875; fixes #11839)
• Added metric labels and weights to linkerd diagnostics endpoints json
  output (#11889)
• Changed how Server updates are handled in the destination service. The
  change will ensure that during a cluster resync, consumers won't be
  overloaded by redundant updates (#11907)
• Changed linkerd install error output to add a newline when a Kubernetes
  client cannot be successfully initialised (#11917)

stable-2.14.8

This stable release fixes an issue in the control plane where discovery for pod
IP addresses could hang indefinitely (#11815).

edge-23.12.4

This edge release includes fixes and improvements to the destination
controller's endpoint resolution API.

• Fixed an issue in the control plane where discovery for pod IP addresses could
  hang indefinitely (#11815)
• Updated the proxy to enforce time limits on control plane response streams so
  that proxies more naturally distribute load over control plane replicas
  (#11837)
• Fixed the policy's controller service metadata responses so that proxy logs
  and metrics have informative values (#11842)

stable-2.14.7

This stable release fixes two bugs in the Linkerd control plane.

• Fixed an issue in the destination controller where the metadata API was not
  properly initialized for jobs, leading to error messages and unnecessary API
  calls (#11541)
• Fixed an issue in the policy controller where it was overriding statuses on
  HTTPRoute resources from other controllers (#11705)

edge-23.12.3

This edge release contains improvements to the logging and diagnostics of the
destination controller.

• Added a control plane metric to count errors talking to the Kubernetes API
  (#11774)
• Fixed an issue causing spurious destination controller error messages for
  profile lookups on unmeshed pods with port in default opaque list (#11550)

edge-23.12.2

This edge release includes a restructuring of the proxy's balancer along with
accompanying new metrics. The new minimum supported Kubernetes version is 1.22.

• Restructured the proxy's balancer (#11750): balancer changes may now occur
  independently of request processing. Fail-fast circuit breaking is enforced on
  the balancer's queue so that requests can't get stuck in a queue indefinitely.
  This new balancer is instrumented with new metrics: request (in-queue) latency
  histograms, failfast states, discovery updates counts, and balancer endpoint
  pool sizes.
• Changed how the policy controller updates HTTPRoute status so that it doesn't
  affect statuses from other non-linkerd controllers (#11705; fixes #11659)

stable-2.14.6

This stable release back-ports bugfixes and improvements from recent edge
releases.

• multicluster: Added an imagePullSecrets configuration to
  linkerd-multicluster Helm chart (thanks @lhaussknecht!). (#11287)
• multicluster: Updated the service mirror to support gateways exposed on
  multiple IP addresses (thanks @MrFreezeex!) (#11499)
• Updated control plane logging so that client-go may emit error logs. This will
  also ensures that all logs are emitted in JSON when the json log format is
  enabled. (#11632)
• Added kubeAPI.clientBurst and kubeAPI.clientQPS configurations that allow
  users to configure the burst and QPS rate limits for the Kubernetes API
  clients used by the control plane. The default burst and qps values are now
  set at 200 and 100, respectively. The prior defaults limited bursts 10 and QPS
  to 5, which could cause throttling issues in clusters that schedule many pods
  quickly. (#11644)
• viz: Update the default prometheus version to v2.48.0. (#11633)

edge-23.12.1

This edge release introduces new configuration values in the identity
controller for client-go's QPS and Burst settings. Default values for these
settings have also been raised from 5 (QPS) and 10 (Burst) to 100 and
200 respectively.

• Added namespaceSelector fields for the tap-injector and jaeger-injector
  webhooks. The webhooks are now configured to skip kube-system by default
  (#11649; fixes #11647) (thanks @mikutas!)
• Added the ability to configure client-go's QPS and Burst settings in the
  identity controller (#11644)
• Improved client-go logging visibility throughout the control plane's
  components (#11632)
• Introduced PodDisruptionBudgets in the linkerd-viz Helm chart for tap and
  tap-injector (#11628; fixes #11248) (thanks @mcharriere!)

stable-2.14.5

This stable release fixes a proxy regression where bursts of TCP connections
could result in EOF errors, due to an incorrect queue capacity. In addition, it
includes fixes for the control plane, dependency upgrades, and support for image
digests in Linkerd manifests.

• Added a controlPlaneVersion override to the linkerd-control-plane Helm chart
  to support including SHA256 image digests in Linkerd manifests (thanks
  @cromulentbanana!) (#11406; fixes #11312)
• Added a checksum/config annotation to the destination and proxy injector
  deployment manifests, to force restarting those workloads whenever their
  webhook secrets change during upgrade (thanks @iAnomaly!) (#11440; fixes
  #6940)
• Updated the Policy controller's OpenSSL dependency to v3, as OpenSSL 1.1.1 is
  EOL (#11625)
• proxy: Increased DEFAULT_OUTBOUND_TCP_QUEUE_CAPACITY to prevent EOF errors
  during bursts of TCP connections (proxy PR #2521)

edge-23.11.4

This edge release introduces support for the native sidecar containers entering
beta support in Kubernetes 1.29. This improves the startup and shutdown ordering
for the proxy relative to other containers, fixing the long-standing
shutdown issue with injected Jobs. Furthermore, traffic from other
initContainers can now be proxied by Linkerd.

In addition, this edge release includes Helm chart improvements, and improvements
to the multicluster extension.

• Added a new config.alpha.linkerd.io/proxy-enable-native-sidecar annotation
  and Proxy.NativeSidecar Helm option that causes the proxy container to run
  as an init-container (thanks @teejaded!) (#11465; fixes #11461)
• Fixed broken affinity rules for the multicluster service-mirror when running
  in HA mode (#11609; fixes #11603)
• Added a new check to linkerd check that ensures all extension namespaces are
  configured properly (#11629; fixes #11509)
• Updated the Prometheus Docker image used by the linkerd-viz extension to
  v2.48.0, resolving a number of CVEs in older Prometheus versions (#11633)
• Added nodeAffinity to deployment templates in the linkerd-viz and
  linkerd-jaeger Helm charts (thanks @naing2victor!) (#11464; fixes
  #10680)