stable-2.11.2

This release pulls in many small fixes and improvements from the main
development branch. It features changes to the multicluster extension to
support the new linkerd-failover extension so that clients can
failover across services hosted on remote clusters.

• CLI

  • Updated check to avoid checking the proxy version of uninjected pods
  • Updated check to skip evicted pods
  • Updated extension install commands to support the --ignore-cluster flag

• Core

  • Fixed a bug in the destination controller that could prevent service
    endpoint updates from being sent to the proxy
  • Updated the destination controller to honor Server resources when
    determining an endpoint's opaqueness
  • Updated the proxy to correctly honor opaque protocol hints for
    non-Kubernetes targets, i.e., when a workload's
    config.linkerd.io/enable-external-profiles annotation is set to true
  • Updated controller webhook servers to ensure that TLS v1.2 or greater is
    used
  • Disabled pprof in control plane admin endpoints by default
  • Updated controllers to ensure that user input is quoted & escaped
    in log messages
  • Updated the proxy's linkerd-await post-start hook to timeout after 2
    minutes. This makes it easier to debug proxies that fail to become ready
  • Updated the proxy init container to support JSON log formatting
  • Added a config.linkerd.io/skip-subnets workload annotation that can be
    used to configure the proxy-init to skip rewriting all traffic to a given
    subnet. This is primarily intended to support docker-in-docker deployments
  • Updated the policy controller to use an openssl backend for its admission
    controller server on x86_64 to improve interopability with more exotic
    Kubernetes server configurations
  • Updated the policy controller to dynamically reload its webhook server
    credentials without restarting
  • Updated the Server CRD to relax OpenAPI schema validation requirements
  • Updated the policy controller webhook server to enforce validation of
    Server and ServerAuthorization resources
  • Added a proxyInit.runAsRoot helm variable that may be set to false to run
    the proxy-init container as a non-root user
  • Updated controller servers to limit the amount of data that may be buffered
    to guard against malicious clients
  • Removed use of the deprecated beta.kubernetes.io/node label

• Jaeger

  • Upgraded jaeger to v1.31 and opentelemetry-collector to v0.43 to support
    ARM

• Multicluster

  • Updated service mirrors so that local services reflect the
    readiness of the remote service. When the remote service has no ready
    endpoints or when its gateway is unavailable, the mirrored local service
    will also have no ready endpoints
  • Fixed a configuration issue that prevented multicluster gateways from
    running on ARM nodes
  • Updated multicluster service mirrors to only create mirrored services when
    the service's namespace already exists in the local cluster
  • Fixed a bug that prevented WebSocket requests from being routed by gateways
  • Updated the linkerd-multicluster-link Helm chart so that a RoleBinding
    is created for each target cluster. This role binding is now only created
    when the enablePSP helm value is set to true
  • Added a linkerd multicluster install --ha flag to run gateways with
    multiple replicas, pod disruption budgets, anti-affinity settings, etc

edge-22.3.5

This edge release introduces new policy CRDs that allow for more generalized
authorization policies.

The AuthorizationPolicy CRD authorizes clients that satisfy all the required
authentications to communicate with the Linkerd Server that it targets.
Required authentications are specified through the new MeshTLSAuthentication
and NetworkAuthentication CRDs.

A MeshTLSAuthentication defines a list of authenticated client IDs—specified
directly by proxy identity strings or referencing resources such as
ServiceAccounts.

A NetworkAuthentication defines a list of client networks that will be
authenticated.

Additionally, to support the new CRDs, policy-related labels have been changed
to better categorize policy metrics. A srv_kind label has been introduced
which splits the current srv_name value—formatted as kind:name—into separate
labels. The saz_name label has been removed and is replaced by the new
authz_kind and authz_name labels.

• Introduced the srv_kind label which allowed splitting the value of the
  current srv_name label
• Removed the saz_name label and replaced it with the new authz_kind and
  authz_name labels
• Fixed an issue in the destination controller where an update would not be sent
  after an endpoint was discovered for a currently empty service
• Introduced the following custom resource types to support generalized
  authorization policies: AuthorizationPolicy, MeshTLSAuthentication,
  NetworkAuthentication
• Deprecated the --proxy-version flag (thanks @importhuman!)
• Updated linkerd-viz to use new policy CRDs

edge-22.3.4

• Disabled pprof endpoints on Linkerd control plane components by default
• Fixed an issue where mirror service endpoints of headless services were always
  ready regardless of gateway liveness
• Added server side validation for ServerAuthorization resources
• Fixed an "origin not allowed" issue when using the latest Grafana with the
  Linkerd Viz extension

edge-22.3.3

This edge release ensures that in multicluster installations, mirror service
endpoints have their readiness tied to gateway liveness. When the gateway for a
target cluster is not alive, the endpoints that point to it on a source cluster
will properly indicate that they are not ready.

• Fixed tap controller logging errors that were succeptible to log forgery by
  ensuring special characters are escaped
• Fixed issue where mirror service endpoints were always ready regardless of
  gateway liveness
• Removed unused namespace entry in linkerd-control-plane chart

edge-22.3.2

This edge release includes a few fixes and quality of life improvements. An
issue has been fixed in the proxy allowing HTTP Upgrade requests to work
through multi-cluster gateways, and the init container's resource limits and
requests have been revised. Additionally, more Go linters have been enabled and
improvements have been made to the devcontainer.

• Changed linkerd-init resource (CPU/memory) limits and requests to ensure by
  default the init container does not break a pod's Guaranteed QOS class
• Added a new check condition to skip pods whose status is NodeShutdown
  during validation as they will not have a proxy container
• Fixed an issue that would prevent proxies from sending HTTP Upgrade requests
  (used in websockets) through multi-cluster gateways

edge-22.3.1

This edge release includes updates to dependencies, CI, and rust 1.59.0. It also
includes changes to the linkerd-jaeger chart to ensure that namespace labels
are preserved and adds support for imagePullSecrets, along with improvements
to the multicluster and policy functionality.

• Added note to multicluster link command to clarify that the link is
  one-direction
• Introduced imagePullSecrets to Jaeger Helm chart
• Updated Rust to v1.59.0
• Fixed a bug where labels can be overwritten in the linkerd-jaeger chart
• Fix broken mirrored headles services after repairEndpoints runs
• Updated Server CRD to handle an empty PodSelector

edge-22.2.4

This edge release continues to address several security related lints and
ensures they are checked by CI.

• Add linkerd check warning for clusters that cannot verify their
  clusterNetworks due to Nodes missing the podCIDR field
• Changed Server CRD to allow having an empty PodSelector
• Modified linkerd inject to only support https URLs to mitigate security
  risks
• Fixed potential goroutine leak in the port forwarding used by several CLI
  commands and control plane components
• Fixed timeouts in the policiy validator which could lead to failures if
  failurePolicy was set to Fail

edge-22.2.3

This edge release fixes some Instant-related proxy panics that occur on Amazon
Linux. It also includes many behind the scenes improvements to the project's
CI and linting.

• Removed the --controller-image-version install flag to simplify the way that
  image versions are handled. The controller image version can be set using the
  --set linkerdVersion flag or Helm value
• Lowercased logs and removed redundant lines from the Linkerd2 proxy init
  container
• Prevented the proxy from logging spurious errors when its pod does not define
  any container ports
• Added workarounds to reduce the likelihood of Instant-related proxy panics
  that occur on Amazon Linux

edge-22.2.2

This edge release updates the jaeger extension to be available in ARM
architectures and applies some security-oriented amendments.

• Upgraded jaeger and the opentelemetry-collector to their latest versions,
  which now support ARM architectures
• Fixed linkerd multicluster check which was reporting false warnings
• Started enforcing TLS v1.2 as a minimum in the webhook servers
• Had the identity controller emit SHA256 certificate fingerprints in its
  logs/events, instead of MD5

edge-22.2.1

This edge release removed the disableIdentity configuration now that the proxy
no longer supports running without identity.

• Added a privileged configuration to linkerd-cni which is required by some
  environments
• Fixed an issue where the TLS credentials used by the policy validator were not
  updated when the credentials were rotated
• Removed the disableIdentity configurations now that the proxy no longer
  supports running without identity
• Fixed an issue where linkerd jaeger check would needlessly fail for BYO
  Jaeger or collector installations
• Fixed a Helm HA installation race condition introduced by the stoppage of
  namespace creation