edge-23.4.1

This is a release candidate for stable-2.13.0 — we encourage you to help
try it out!

This edge release introduces request-level HTTP circuit-breaking
using a consecutive failures failure accrual policy. Circuit breaking can be
configured by adding failure accrual annotations to a Service. In addition, this
release adds new outbound_route_backend_http_requests_total and
outbound_route_backend_grpc_requests_total proxy metrics, which can be
used to track how routing rules and backend distributions apply to
requests. These metrics contain labels describing the route's parent
(i.e. a Service), the route resource being used, and the backend
resource being used by each request.

• Proxy

  • Added discovery of failure accrual policies from the OutboundPolicy API
  • Implemented consecutive failures failure accrual policy
  • Added INFO-level logging on failure accrual changes
  • Added outbound_route_backend_http_requests_total and
    outbound_route_backend_grpc_requests_total metrics

• Policy Controller

  • Added failure accrual configuration to the OutboundPolicy API
  • Added Prometheus /metrics endpoint to the admin server, with process
    metrics
  • Changed the policy controller to only accept HTTPRoutes when the parentRef
    is a ClusterIP Service
  • Added ports to service references in the OutboundPolicy API

• Viz

  • Added tap.ignoredHeaders Helm value to the linkerd-viz chart. This value
    allows users to specify a comma-separated list of header names which will be
    ignored by Linkerd Tap (thanks @ryanhristovski!)
  • Removed duplicate SecurityContext in Prometheus manifest

• Multicluster

  • Removed duplicate AuthorizationPolicy for probes from the multicluster
    gateway Helm chart

edge-23.3.4

This edge release further enhances the OutboundPolicies API used by the proxy to
route outbound traffic, and continues extending the HTTPRoute resource's Status
field. It also starts integrating circuit-breaking functionality into the proxy,
which will be configurable in a subsequent iteration.

• Continued iterating on the HTTPRoute's Status field, by extending support for
  routes parented to Services, and adding a ResolvedRefs condition reflecting
  the status of BackendRefs
• Updated the OutboundPolicies API such that only HTTPRoutes with an Accepted
  status of true are considered when routing outbound requests
• Improved handling of invalid backends, allowing the configuration of error
  responses
• Added new flag --viz-namespace which avoids requiring permissions for
  listing all namespaces in linkerd viz subcommands (thanks @danibaeyens!)
• Among other dependency updates, the no-longer maintained ghodss/yaml library
  was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)

edge-23.3.3

This edge release removes TrafficSplits from the Linkerd dashboard as well as
fixing a number of issues in the policy controller.

• Removed the TrafficSplit page from the Linkerd viz dashboard
• Fixed an issue where the policy controller was not returning the correct
  status for non-Service authorities
• Fixed an issue where the policy controller could use large amounts of CPU
  when lease API calls failed

edge-23.3.2

This edge release continues to improve dynamic Policy statuses and
introduces support for header-based routing.

• Destination Controller

  • Added OutboundPolicies API, for use by linkerd-proxy to route
    outbound traffic
  • Improved diagnostic log messages
  • Fixed sending of spurious profile updates

• Proxy

  • Use the new OutboundPolicies API, supporting Gateway API-style routes
    in the outbound proxy

• Policy Controller

  • Support highly available Policy Controller by utilizing
    policy-controller-write Lease when patching HTTPRoutes
  • Consider the status field and filter out HTTPRoutes which have not
    been accepted

• Added KubeAPI server ports to ignoreOutboundPorts of proxy-injector

• Updated HTTPRoute version from v1alpha1 to v1beta2

• Updated network-validator helm charts to use proxy-init resources

• Fixed Grafana regular expression, enabling monitoring of filesystem
  usage (thanks @h-dav!)

edge-23.3.1

This edge release continues to build support under the hood for the upcoming
features in 2.13. Also included are several dependency updates and less verbose
logging.

• Removed dependency on the curlimages/curl 3rd-party image used to initialize
  extensions namespaces metadata (so they are visible by linkerd check),
  replaced by the new extension-init image
• Lowered non-actionable error messages in the Destination log to debug-level
  entries to avoid triggering false alarms (thanks @siddharthshubhampal!)

edge-23.2.3

This edge release includes a number of fixes and introduces a new CLI command,
linkerd prune. The new prune command should be used to remove resources
which are no longer part of the Linkerd manifest when doing an upgrade.
Previously, the recommendation was to use linkerd upgrade in conjunction with
kubectl apply --prune, however, that will not remove resources which are not
part of the input manifest, and it will not detect cluster scoped resources,
linkerd prune (included in all core extensions) should be preferred over it.

Additionally, this change contains a few fixes from our external contributors,
and a change to the viz Helm chart which allows for arbitrary annotations on
Service objects. Last but not least, the release contains a few proxy
internal changes to prepare for the new client policy API.

• Added a new linkerd prune command to the CLI (including extensions) to
  remove resources which are no longer part of Linkerd's manifests
• Introduced new values in the viz chart to allow for arbitrary annotations
  on the Service objects (thanks @sgrzemski!)
• Fixed up a comment in k8s API wrapper (thanks @ductnn!)
• Fixed an issue with EndpointSlice endpoint reconciliation on slice deletion;
  when using more than one slice, a NoEndpoints event would be sent to the
  proxy regardless of the amount of endpoints that were still available (thanks
  @utay!)

edge-23.2.2

This edge release adds the policy status controller which writes the status
field to HTTPRoutes when a parent reference Server accepts or rejects the
HTTPRoute. This field is currently not consumed by the policy controller, but
acts as the first step for considering HTTPRoute status when serving policy.

Additionally, the destination controller now uses the Kubernetes metadata API
for resources which it only needs to track the metadata for — Nodes and
ReplicaSets. For all other resources it tracks, it uses additional information
so continues to use the API as before.

• Fixed error message to include the colliding Server in the policy controller's
  admission webhook validation
• Updated wording for linkerd-multicluster cluster when it fails to probe a
  remote gateway mirror
• Removed unnecessary Namespaces access from the destination controller RBAC
• Added Kubernetes metadata API in the destination controller for watching Nodes
  and ReplicaSets
• Fixed QueryParamMatch parsing for HTTPRoutes
• Added the policy status controller which writes the status field to
  HTTPRoutes when a parent reference Server accepts or rejects it

stable-2.12.4

This stable release fixes a memory leak in the Destination controller, and also
includes other bug fixes for the Linkerd control plane, CLI, and extensions.

• CLI

  • Fixed an issue in the CLI where --identity-external-ca would set an
    incorrect field (thanks @anoxape!)

• Control Plane

  • Fixed an issue in the destination controller's cache that could result in
    stale endpoints when using EndpointSlice objects
  • Fixed control plane components failing liveness probes while waiting for
    caches to sync, which could prevent the control plane from starting in large
    clusters
  • Fixed a memory leak in the Destination controller

• linkerd-proxy-init

  • Added resource limits for noop init container, to support environments
    where resource quotas are required

• Helm

  • Added namespace to namespace-metadata resources in Helm (thanks
    @joebowbeer!)
  • Fixed potential nil pointer dereference errors in template evaluation

• Extensions

  • Fixed an issue where linkerd viz tap would display wrong latency/duration
    value (thanks @olegy2008!)

edge-23.2.1

This edge release sees the linkerd-cni plugin moved to
linkerd2-proxy-init and released from that repository. An iptables
improvement to linkerd-cni and proxy-init is the main focus. Other
minor fixes are also included.

• Changed proxy-init iptables rules to be idempotent upon init pod
  restart (thanks @jim-minter!)
• Improved logging in proxy-init and linkerd-cni
• Added the server_port_subscribers metric to track the number of subscribers
  to Server changes associated with a pod's port
• Added the service_subscribers metric to track the number of subscribers to
  Service changes
• Fixed a small memory leak in the opaque ports watcher
• No longer apply waitBeforeExitSeconds to control plane, viz and jaeger
  extension pods
• Added support for the internalTrafficPolicy of a service (thanks @yc185050!)
• Added limits and requests to network-validator for ResourceQuota interop
• Added block chomping to strip trailing new lines in ConfigMap (thanks @avdicl!)
• Added multicluster gateway nodeSelector and tolerations helm parameters
• Added protection against nil dereference in resources helm template

edge-23.1.2

This edge release fixes a memory leak in the Linkerd control plane that could
occur when many many pods were created. It also adds a number of new
configuration options Multicluster extension's gateway.

• Added additional shortnames for Linkerd policy resources (thanks @javaducky!)
• Added new configuration options for the multicluster gateway:
  • gateway.deploymentAnnotations
  • gateway.terminationGracePeriodSeconds (thanks @bunnybilou!)
  • gateway.loadBalancerSourceRanges (thanks @Tyrion85!)
• Added an optional AuthorizationPolicy to authorize Grafana to Prometheus
  in the Viz extension
• Fixed the link to the Jaeger dashboard the in viz dashboard (thanks @eugenegoncharuk!)
• Fixed an issue where control plane components could fail to start on large
  clusters because of failing readiness probes while caches were being
  initialized
• Fixed a memory leak in the Destination controller
• Fixed an issue where PodSecurityPolicies could reject Linkerd control plane
  components due to the seccompProfile