edge-21.9.3

This edge is a release candidate for stable-2.11.0! It features a new linkerd authz CLI command to list servers and authorizations for a workload, as well as
policy resources support for linkerd viz stat. Furthermore, this edge release
adds support for JSON log formatting, enables TLS detection on port 443
(previously marked as opaque), and further improves policy features.

• Removed port 443 from the default list of opaque ports, this will allow the
  proxy to report metadata (such as the connection's SNI value) on TLS
  connections to port 443
• Added default policies for core Linkerd extensions
• Added support for JSON log formatting to the policy controller
• Added support for new policy resources to viz stat command
• Added default policy annotation to linkerd-identity
• Added a new linkerd authz command to the CLI to list all server and
  authorization resources that apply to a specific resource
• Added TLS labels (including client identity) to authorization metrics in the
  proxy
• Changed the opaque ports CLI check to consider service and pod ports when
  checking annotation values; previously, the check would naively issue warnings
  when the service annotation values were different from the pod it selected
• Changed how the proxy forwards inbound connections to a pod locally; the proxy
  now targets the original address instead of a port bound on localhost to
  protect services that are only bound on loopback from being exposed to other
  pods
• Improved memory utilization in the proxy, especially for TCP forwarding, where
  the memory allocated was reduced from 128KB to 16KB
• Updated the inbound policy system for the proxies to always allow connections
  from localhost
• Fixed an issue where the policy controller would not detect changes to the
  proxyProtocol field of Server resources
• Fixed an issue where the policy admission controller would log a WARN
  message when deserializing Server structs

edge-21.9.2

This edge release gets us closer to 2.11 by further polishing the policy
feature. Also the proxy received a noticeable resource consumption improvement.

• Stopped creating the default authorizations for the kubelet
• Added missing ports to the destination controller's default list of ports, to
  allow the sp-validator to start properly when using a default-deny policy
• Set the destination and proxy-injector pods default policy to
  all-unauthenticated to allow the webhooks to be called from the kube-api
  when using a default-deny policy
• Extended inbound policies to cover the proxy's admin server
• Improved the proxy's error handling so that HTTP metrics include 5XX responses
  for common errors
• The proxy's outbound tap has been fixed to include route labels when service
  profiles are configured
• Enabled link-time optimizations in the Rust components (proxy and policy
  controller), resulting in noticeable RSS and CPU consumption improvements
• Made the admin servers in the control plane components properly shut down
  (thanks @EpicStep!)
• Updated linkerd-await, suppressing the error emitted when linkerd-await was
  disabled

edge-21.9.1

This release includes various improvements and feature additions across the policy
feature i.e, New validating webhook for policy resources. This also includes changes
in the proxy i.e, terminating TCP connections when a authorization is revoked, improvements
in the proxy authorization metrics. In addition, proxy injector has also been updated
to set the right opaque-ports annotation on services with default opaque ports.

• Added a new validating admission controller to validate the policy resources
• Updated the proxy-init to remove a rule which caused the packets from the proxy
  with destination != 127.0.0.1 on localhost to be sent to the inbound proxy
• Updated inbound policy enforcement to interrupt TCP forwarding if a previously
  established authorization is revoked
• Added new proxy metrics to expose authorization decisions
• Updated inbound TCP metrics to only include a srv_name label
• Updated the proxy to export route-oriented metrics only when a ServiceProfile
  is enabled
• Updated the proxy's release build configuration to improve CPU and memory
  utilization
• Added DNS name validation to the proxy-identity binary which creates the
  read-only private key required by the proxy (thanks @yorkijr!)
• Updated the identity controller's default policy to be cluster-unauthenticated
• Updated the proxy injector to include the correct default ports as opaque with
  services
• Deprecated the usage of vis stat ts and print a warning about the SMI extension
• Updated various dependencies across the dashboard, policy-controller
  (thanks @dependabot!)

edge-21.8.4

This edge release continues to build on the policy feature by adding support for
cluster-scoped default policies and exposing policy labels on various prometheus
metrics. The proxy has been updated to return HTTP-level authorization errors
at the time that the request is processed, instead of when the connection is
established.

In addition, the proxy-injector has been updated to set the opaque-ports
annotation on a workload to make sure that controllers can discover how the
workload was configured. Also, the sleep binary has been added to the proxy
image in order to restore the functionality required for waitBeforeExitSeconds
to work.

• Added default-inbound-policy annotation to the proxy-injector
• Updated the proxy-injector to always add the opaque-ports annotation
• Added sleep binary to proxy image
• Updated inbound traffic metrics to include server and authorization labels
• Updated the policy-controller to honor pod level port annotations when a
  Server resource definition does not match the ports defined for the workload
• Updated the point at which the proxy returns HTTP-level authorization errors
• Exposed permit and policy labels on HTTP metrics
• Added support for cluster-scoped default policies
• Dropped nonroot variant from the policy-controller's distroless base image
  to avoid erroring in some environments.

edge-21.8.3

This release adds support for dynamic inbound policies. The proxy now discovers
policies from the policy-controller API for all application ports documented in a
pod spec. Rejected connections are logged. Policies are not yet reflected in the
proxy's metrics.

These policies also allow the proxy to skip protocol detection when a server is
explicitly annotated as HTTP/2 or when the server is documented to be opaque or
application-terminated TLS.

• Added a new section to linkerd-viz's dashboard that lists installed extensions
  (thanks @sannimichaelse!)
• Added the enableHeadlessServices Helm flag to the linkerd multicluster link command for enabling headless service mirroring (thanks @knutgoetz!)
• Removed some unused and duplicate constants in the codebase (thanks
  @xichengliudui!)
• Added support for exposing service metadata from exported to mirrored services
  in multicluster installations (thanks @importhuman!)
• Fixed an issue where the policy controller's liveness checks would fail after
  the controller was disconnected but had successfully resumed its watches
• Fixed the linkerd-policy service selector to properly select destination
  control plane components
• Added additional environment variables to the proxy container to allow support
  for dynamic policy configuration

edge-21.8.2

This edge release continues the policy work by adding a new controller, written
in Rust, to expose a discovery API for inbound server policies. Apart from
that, this release includes a number of changes from external contributors; the
linkerd-jaeger helm chart now supports passing arguments to the Jaeger
container through the chart's values file. A number of unused functions and
variables have been also removed to improve the quality of the codebase.
Finally, this release also comes with changes to the proxy's outbound behavior,
a new extensions page on the dashboard, and support for querying service
metrics using the authority label in linkerd viz stat.

• Introduced new linkerd-policy-controller; the new controller is written in
  Rust and implements discovery APIs for inbound server policies, the container
  has been added to the linkerd-destination pod
• Updated linkerd-jaeger helm chart to support passing arguments to the
  Jaeger container (thanks @bsord!)
• Added support for querying service metrics using the authority label in
  linkerd viz stat
• Improved code hygiene by removing unused constants and functions throughout
  the codebase (thanks @xichengliudui!)
• Added a new extensions page to the dashboard to list all known built-in and
  third party extensions that can be used with Linkerd
• Changed outbound behavior in the proxy to tear down server-side connections
  when the remote proxy returns responses that indicate proxy errors; the
  connection in this case will be reset to allow clients to connect to a new
  endpoint

edge-21.8.1

This releases includes initial changes w.r.t addition of Authorization into
Linkerd. It includes adding the new policy.linkerd.io CRDs to the core install.
This also includes numerous dependency updates both in the web and dashboard.

• Added servers.policy.linkerd.io and serverauthorizations.policy.linkerd.io
  CRDs into the default Linkerd installation to support configuration and
  discovery of inbound policies
• Modified the proxy to support upcoming policy features
• Updated several dashboard dependencies to latest versions
• Updated several proxy dependencies to latest versions

edge-21.7.5

This release updates Linkerd to store the identity trust root in a ConfigMap to
make it easier to manage and rotate the trust root. The release also lays the
groundwork for StatefulSet support in the multicluster extension and removes
deprecated PSP resources by default.

• Added a linkerd-identity-trust-roots ConfigMap which contains the configured
  trust root bundle
• Introduced support for StatefulSets across multicluster (disabled by default)
• Stopped installing PSP resources by default since these are deprecated as
  of Kubernetes v1.21

edge-21.7.4

This release continues to focus on dependency updates. It also adds the
l5d-proxy-error information header to distinguish proxy generated errors
proxy generated errors from application generated errors.

• Updated several project dependencies
• Added a new l5d-proxy-error on responses that allows proxy-generated error
  responses to be distinguished from application-generated error responses.
• Removed support for configuring HTTP/2 keepalives via the proxy.
  Configuring this setting would sometimes cause conflicts with Go gRPC servers
  and clients
• Added a new target_addr label to *_tcp_accept_errors metrics to improve
  diagnostics, especially for TLS detection timeouts

edge-21.7.3

This edge release introduces several changes around metrics. ReplicaSets are now
a supported resource and metrics can be associated with them. A new metric has
been added which counts proxy errors encountered before a protocol can be
detected. Finally, the request errors metric has been split into separate
inbound and outbound directions.

• Fixed printing check --pre command usage if it fails after being unable to
  connect to Kubernetes (thanks @rdileep13!)
• Updated the default skip and opaque ports to match that which is listed in the
  documentation
• Added the LINKERD2_PROXY_INBOUND_PORTS environment variable during proxy
  injection which will be used by ongoing policy changes
• Added client-go cache size metrics to the diagnostics controller-metrics
  command
• Added validation that the certificate provided by an external issuer is a CA
  (thanks @rumanzo!)
• Added metrics support for ReplicaSets
• Replaced the request_errors_total metric with two new metrics:
  inbound_http_errors_total and outbound_http_errors_total
• Introduced the inbound_tcp_accept_errors_total and
  outbound_tcp_accept_errors_total metrics which count proxy errors
  encountered before a protocol can be detected