stable-2.12.1

This release includes several control plane and proxy fixes for stable-2.12.0.
In particular, it fixes issues related to control plane HTTP servers' header
read timeouts resulting in decreased controller success rates, lowers the
inbound connection pool idle timeout in the proxy, and fixes an issue where the
jaeger injector would put pods into an error state when upgrading from
stable-2.11.x.

Additionally, this release adds the linkerd.io/trust-root-sha256 annotation to
all injected workloads allowing predictable comparison of all workloads' trust
anchors via the Kubernetes API.

For Windows users, note that the Linkerd CLI's nupkg file for Chocolatey is
once again included in the release assets (it was previously removed in
stable-2.10.0).

• Proxy

  • Lowered inbound connection pool idle timeout to 3s

• Control Plane

  • Updated AdmissionRegistration API version usage to v1
  • Added linkerd.io/trust-root-sha256 annotation on all injected workloads
    to indicate certifcate bundle
  • Updated fields in AuthorizationPolicy and MeshTLSAuthentication to
    conform to specification (thanks @aatarasoff!)
  • Updated the identity controller to not require a ClusterRoleBinding
    to read all deployment resources
  • Increased servers' header read timeouts so they no longer match default
    probe and Prometheus scrape intervals

• Helm

  • Restored namespace field in Linkerd helm charts
  • Updated PodDisruptionBudget apiVersion from policy/v1beta1 to
    policy/v1 (thanks @Vrx555!)

• Extensions

  • Fixed jaeger injector interfering with upgrades to 2.12.x

stable-2.11.5

This release lowers the inbound connection pool idle timeout to 3s. This should
help avoid socket errors, especially for Kubernetes probes. Additionally, it
upgrades the version of Go used by the control plane and CLI from 1.17 to 1.18.

edge-22.9.2

This release fixes an issue where the jaeger injector would put pods into an
error state when upgrading from stable-2.11.x.

• Updated AdmissionRegistration API version usage to v1
• Fixed jaeger injector interfering with upgrades to 2.12.x

edge-22.9.1

This release adds the linkerd.io/trust-root-sha256 annotation to all injected
workloads allowing predictable comparison of all workloads' trust anchors via
the Kubernetes API.

Additionally, this release lowers the inbound connection pool idle timeout to
3s. This should help avoid socket errors, especially for Kubernetes probes.

• Added linkerd.io/trust-root-sha256 annotation on all injected workloads
  to indicate certifcate bundle
• Lowered inbound connection pool idle timeout to 3s
• Restored namespace field in Linkerd helm charts
• Updated fields in AuthorizationPolicy and MeshTLSAuthentication to
  conform to specification (thanks @aatarasoff!)
• Updated the identity controller to not require a ClusterRoleBinding
  to read all deployment resources.

edge-22.8.3

Increased control plane HTTP servers' read timeouts so that they no longer
match the default probe intervals. This was leading to closed connections
and decreased controller success rate.

stable-2.12.0

This release introduces route-based policy to Linkerd, allowing users to define
and enforce authorization policies based on HTTP routes in a fully zero-trust
way. These policies are built on Linkerd's strong workload identities, secured
by mutual TLS, and configured using types from the Kubernetes Gateway
API.

The 2.12 release also introduces optional request logging ("access logging"
after its name in webservers), optional support for iptables-nft, and a host
of other improvements and performance enhancements.

Additionally, the linkerd-smi extension is now required to use TrafficSplit,
and the installation process has been updated to separate management of the
Linkerd CRDs from the main installation process. With the CLI, you'll need to
linkerd install --crds before running linkerd install; with Helm, you'll
install the new linkerd-crds chart, then the linkerd-control-plane chart.
These charts are now versioned using SemVer independently
of Linkerd releases. For more information, see the upgrade
notes.

Upgrade notes: Please see the upgrade instructions.

• Proxy

  • Added a config.linkerd.io/shutdown-grace-period annotation to limit the
    duration that the proxy may wait for graceful shutdown
  • Added a config.linkerd.io/access-log annotation to enable logging of
    workload requests
  • Added a new iptables-nft mode for the proxy-init initContainer
  • Added support for non-HTTP traffic forwarding within the mesh in ingress
    mode
  • Added the /env.json log diagnostic endpoint
  • Added a new process_uptime_seconds_total metric to track proxy uptime in
    seconds
  • Added support for dynamically discovering policies for ports that are not
    documented in a pod's containerPorts
  • Added support for route-based inbound HTTP metrics
    (route_group/route_kind/route_name)
  • Added a new annotation to configure skipping subnets in the init container
    (config.linkerd.io/skip-subnets), needed e.g. in Docker-in-Docker
    workloads (thanks @michaellzc!)

• Control Plane

  • Added support for per-route policy by supporting AuthorizationPolicy
    resources which can target HttpRoute or Server resources
  • Added support for bound service account token volumes for the control plane
    and injected workloads
  • Removed kube-system exclusions from watchers to fix service discovery for
    workloads in the kube-system namespace (thanks @JacobHenner!)
  • Updated healthcheck to ignore Terminated state for pods (thanks
    @AgrimPrasad!)
  • Updated the default policy controller log level to info; the controller
    will now emit INFO level logs for some of its dependencies
  • Added probe authorization by default, allowing clusters that use a default
    deny policy to not explicitly need to authorize probes
  • Fixed an issue where the proxy-injector would break when using
    nodeAffinity values for the control plane
  • Fixed an issue where certain control plane components were not restarting as
    necessary after a trust root rotation
  • Removed SMI functionality in the default Linkerd installation; this is now
    part of the linkerd-smi extension

• CLI

  • Fixed the linkerd check command crashing when unexpected pods are found in
    a Linkerd namespace
  • Updated the linkerd authz command to support AuthorizationPolicy and
    HttpRoute resources
  • Updated linkerd check to allow RSA signed trust anchors (thanks
    @danibaeyens!)
  • linkerd install --crds must be run before linkerd install
  • linkerd upgrade --crds must be run before linkerd upgrade
  • Fixed invalid yaml syntax in the viz extension's tap-injector template
    (thanks @wc-s!)
  • Fixed an issue where the --default-inbound-policy setting was not being
    respected
  • Added support for AuthorizationPolicy and HttpRoute to viz authz command
  • Added support for AuthorizationPolicy and HttpRoute to viz stat command
  • Added support for policy metadata in linkerd viz tap

• Helm

  • Split the linkerd2 chart into linkerd-crds and linkerd-control-plane
  • Charts are now versioned using SemVer independently of
    Linkerd releases
  • Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)
  • Changed the proxy.await Helm value so that users can now disable
    linkerd-await on control plane components
  • Added the policyController.probeNetworks Helm value for configuring the
    networks that probes are expected to be performed from

• Extensions

  • Added annotations to allow Linkerd extension deployments to be evicted by
    the autoscaler when necessary
  • Added ability to run the Linkerd CNI plugin in non-chained (stand-alone)
    mode
  • Added a ServiceAccount token Secret to the multicluster extension to support
    Kubernetes versions >= v1.24

This release includes changes from a massive list of contributors, including
engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and
others. A special thank-you to everyone who helped make this release possible:

Agrim Prasad @AgrimPrasad
Ahmed Al-Hulaibi @ahmedalhulaibi
Aleksandr Tarasov @aatarasoff
Alexander Berger @alex-berger
Ao Chen @chenaoxd
Badis Merabet @badis
Bjørn @Crevil
Brian Dunnigan @bdun1013
Christian Schlotter @chrischdi
Dani Baeyens @danibaeyens
David Symons @multimac
Dmitrii Ermakov @ErmakovDmitriy
Elvin Efendi @ElvinEfendi
Evan Hines @evan-hines-firebolt
Eng Zer Jun @Juneezee
Gustavo Fernandes de Carvalho @gusfcarvalho
Harry Walter @haswalt
Israel Miller @imiller31
Jack Gill @jackgill
Jacob Henner @JacobHenner
Jacob Lorenzen @Jaxwood
Joakim Roubert @joakimr-axis
Josh Ault @jault-figure
João Soares @jasoares
jtcarnes @jtcarnes
Kim Christensen @kichristensen
Krzysztof Dryś @krzysztofdrys
Lior Yantovski @lioryantov
Martin Anker Have @mahlunar
Michael Lin @michaellzc
Michał Romanowski @michalrom089
Naveen Nalam @nnalam
Nick Calibey @ncalibey
Nikola Brdaroski @nikolabrdaroski
Or Shachar @or-shachar
Pål-Magnus Slåtto @dev-slatto
Raman Gupta @rocketraman
Ricardo Gândara Pinto @rmgpinto
Roberth Strand @roberthstrand
Sankalp Rangare @sankalp-r
Sascha Grunert @saschagrunert
Steve Gray @steve-gray
Steve Zhang @zhlsunshine
Takumi Sue @mikutas
Tanmay Bhat @tanmay-bhat
Táskai Dominik @dtaskai
Ujjwal Goyal @importhuman
Weichung Shaw @wc-s
Wim de Groot @wim-de-groot
Yannick Utard @utay
Yurii Dzobak @yuriydzobak
罗泽轩 @spacewander

stable-2.12.0-rc2

This release is the second release candidate for stable-2.12.0.

At this point the Helm charts can be retrieved from the stable repo:

helm repo add linkerd https://helm.linkerd.io/stable
helm repo up
helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
helm install linkerd-control-plane \
  -n linkerd \
  --set-file identityTrustAnchorsPEM=ca.crt \
  --set-file identity.issuer.tls.crtPEM=issuer.crt \
  --set-file identity.issuer.tls.keyPEM=issuer.key \
  linkerd/linkerd-control-plane

The following lists all the changes since edge-22.8.2:

• Fixed inheritance of the linkerd.io/inject annotation from Namespace to
  Workloads when its value is ingress
• Added the config.linkerd.io/default-inbound-policy: all-authenticated
  annotation to linkerd-multicluster’s Gateway deployment so that all clients
  are required to be authenticated
• Added a ReadHeaderTimeout of 10s to all the go http.Server instances, to
  avoid being vulnerable to "slowrolis" attacks
• Added check in linkerd viz check --proxy to warn in case namespace have the
  config.linkerd.io/default-inbound-policy: deny annotation, which would not
  authorize scrapes coming from the linkerd-viz Prometheus instance
• Added validation for accepted values for the --default-inbound-policy flag
• Fixed invalid URL in the linkerd install --help output
• Added --destination-pod flag to linkerd diagnostics endpoints subcommand
• Added proxyInit.runAsUser in values.yaml defaulting to non-zero, to
  complement the new default proxyInit.runAsRoot: false that was rencently
  changed

edge-22.8.2

This release is considered a release candidate for stable-2.12.0 and we
encourage you to try it out! It includes an update to the multicluster extension
which adds support for Kubernetes v1.24 and also updates many CLI commands to
support the new policy resources: ServerAuthorization and HTTPRoute.

• Updated linkerd check to allow RSA signed trust anchors (thanks @danibaeyens)
• Fixed some invalid yaml in the viz extension's tap-injector template (thanks @wc-s)
• Added support for AuthorizationPolicy and HttpRoute to viz authz command
• Added support for AuthorizationPolicy and HttpRoute to viz stat
• Added support for policy metadata in linkerd tap
• Fixed an issue where certain control plane components were not restarting as
  necessary after a trust root rotation
• Added a ServiceAccount token Secret to the multicluster extension to support
  Kubernetes versions >= v1.24
• Fixed an issuer where the --default-inbound-policy setting was not being
  respected

edge-22.8.1

This releases introduces default probe authorization. This means that on
clusters that use a default deny policy, probes do not have to be explicitly
authorized using policy resources. Additionally, the
policyController.probeNetworks Helm value has been added, which allows users
to configure the networks that probes are expected to be performed from.

Additionally, the linkerd authz command has been updated to support the policy
resources AuthorizationPolicy and HttpRoute.

Finally, some smaller changes include allowing to disable linkerd-await on
control plane components (using the existing proxy.await configuration) and
changing the default iptables mode back to legacy to support more cluster
environments by default.

• Updated the linkerd authz command to support AuthorizationPolicy and
  HttpRoute resources
• Changed the proxy.await Helm value so that users can now disable
  linkerd-await on control plane components
• Added probe authorization by default allowing clusters that use a default
  deny policy to not explicitly need to authorize probes
• Added ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode
• Added the policyController.probeNetworks Helm value for configuring the
  networks that probes are expected to be performed from
• Changed the default iptables mode to legacy

edge-22.7.3

This release adds a new nft iptables mode, used by default in proxy-init.
When used, firewall configuration will be set-up through the iptables-nft
binary; this should allow hosts that do not support iptables-legacy (such as
RHEL based environments) to make use of the init container. The older
iptables-legacy mode is still supported, but it must be explictly turned on.
Moreover, this release also replaces the HTTPRoute CRD with Linkerd's own
version, and includes a number of fixes and improvements.

• Added a new iptables-nft mode for proxy-init. When running in this mode,
  the firewall will be configured with nft kernel API; this should allow
  users to run the init container on RHEL-family hosts
• Fixed an issue where the proxy-injector would break when using nodeAffinity
  values for the control plane
• Updated healthcheck to ignore Terminated state for pods (thanks
  @AgrimPrasad!)
• Replaced HTTRoute CRD version from gateway.networking.k8s.io with a
  similar version from the policy.linkerd.io API group. While the CRD is
  similar, it does not support the Gateway type, does not contain the
  backendRefs fields, and does not support RequestMirror and ExtensionRef
  filter types.
• Updated the default policy controller log level to info; the controller
  will now emit INFO level logs for some of its dependencies
• Added validation to ensure HTTPRoute paths are absolute; relative paths are
  not supported by the proxy and the policy controller admission server will
  reject any routes that use paths which do not start with /