edge-21.3.2

This edge release is another release candidate for stable 2.10 and fixes some
final bugs found in testing. A big thank you to users who have helped us
identity these issues!

• Fixed an issue with the service profile validating webhook that prevented
  service profiles from being added or updated
• Updated the check command output hint anchors to match Linkerd component
  names
• Fixed a permission issue with the Viz extension's tap admin cluster role by
  adding namespace listing to the allowed actions
• Fixed an issue with the proxy where connections would not be torn down when
  communicating with a defunct endpoint
• Improved diagnostic logging in the proxy
• Fixed an issue with the Viz extension's Prometheus template that prevented
  users from specifying a log level flag for that component (thanks @n-oden!)
• Fixed a template parsing issue that prevented users from specifying additional
  ignored inbound parts through Helm's --set flag
• Fixed an issue with the proxy where non-HTTP streams could sometimes hang due
  to TLS buffering

edge-21.3.1

This edge release is another release candidate, bringing us closer to
stable-2.10.0! It fixes the Helm install/upgrade procedure and ships some new
CLI commands, among other improvements.

• Fixed Helm install/upgrade, which was failing when not explicitly setting
  proxy.image.version
• Added a warning in the dashboard when viewing tap streams from resources that
  don't have tap enabled
• Added the command linkerd viz list to list meshed pods and indicate which can
  be tapped, which need to be restarted before they can be tapped, and which
  have tap disabled
• Similarly, added the command linkerd jaeger list to list meshed pods and
  indicate which will participate in tracing
• Added the --opaque-ports flag to linkerd inject to specify the list of
  opaque ports when injecting pods (and services)
• Simplified the output of linkerd jaeger check, combining the checks for the
  status of each component into a single check
• Changed the destination component to receive the list of default opaque ports
  set during install so that it's properly reflected during discovery
• Moved the level of the proxy server's I/O-related "Connection closed" messages
  from info to debug, which were not providing actionable information

edge-21.2.4

This edge is a release candidate for stable-2.10.0! It wraps up the functional
changes planned for the upcoming stable release. We hope you can help us test
this in your staging clusters so that we can address anything unexpected before
an official stable.

This release introduces support for CLI extensions. The Linkerd check command
will now invoke each extension's check command so that users can check the
health of their Linkerd installation and extensions with one command. Additional
documentation will follow for developers interested in creating extensions.

Additionally, there is no longer a default list of ports skipped by the proxy.
These ports have been moved to opaque ports, meaning protocols like MySQL will
be encrypted by default and without user input.

• Cleaned up entries in values.yaml by removing do not edit entries; they
  are now hardcoded in the templates
• Added the count of service profiles installed in a cluster to the Heartbeat
  metrics
• Fixed CLI commands which would unnecessarily print usage instructions after
  encountering API errors (thanks @piyushsingariya!)
• Fixed the install command so that it errors after detecting there is an
  existing Linkerd installation in the cluster
• Changed the identity controller to receive the trust anchor via environment
  variable instead of by flag; this allows the certificate to be loaded from a
  config map or secret (thanks @mgoltzsche!)
• Updated the proxy to use TLS version 1.3; support for TLS 1.2 remains enabled
  for compatibility with prior proxy versions
• The opaque ports annotation is now supported on services and enables users to
  use this annotation on mirrored services in multicluster installations
• Reverted the renaming of the mirror.linkerd.io label
• Ports 25,443,587,3306,5432,11211 have been removed from the default skip
  ports; all traffic through those ports is now proxied and handled opaquely by
  default
• Errors configuring the firewall in CNI are propagated so that they can be
  handled by the user
• Removed Viz extension warnings from the check --proxy command when tap is
  not configured for pods; this is now handled by the viz tap command
• Added support for CLI extensions as well as ensuring their check commands
  are invoked by Linkerd's check command
• Moved the metrics, endpoints, and install-sp commands into subcommands
  under the diagnostics command.
• Removed the linkerd- prefix from non-cluster scoped resources in the Viz and
  Jaeger extensions
• Added the linkerd-await helper to all Linkerd containers so that the proxy can
  initialize before the components start making outbound connections
• Removed the tcp_connection_duration_ms histogram from the metrics export to
  fix high cardinality issues that surfaced through high memory usage

stable-2.9.4

This stable release fixes an issue that prevented the proxy from being able to
speak HTTP/1 with older versioned proxies (announced in 2.9.3 but the fix wasn't
actually included).

• Fixed an issue that could cause the inbound proxy to fail meshed HTTP/1
  requests from older proxies (from the stable-2.8.x vintage)
• Fixed linkerd install command so that it can properly detect and avoid
  overwriting already installed linkerd instances from versions previous to 2.9
• Docker images are now hosted on the cr.l5d.io registry
• Updated base docker images to buster-20210208-slim

edge-21.2.3

This release wraps up most of the functional changes planned for the upcoming
stable-2.10.0 release. Try this edge release in your staging cluster and
let us know if you see anything unexpected!

• Breaking change: Changed the multicluster Service-export annotation
  from mirror.linkerd.io/exported to multicluster.linkerd.io/export
• Updated the proxy-injector to to set the config.linkerd.io/opaque-ports
  annotation on newly-created Service objects when the annotation is set on
  its parent Namespace
• Updated the proxy-injector to ignore pods that have disabled
  automountServiceAccountToken (thanks @jimil749)
• Updated the proxy to log warnings when control plane components are
  unresolveable
• Updated the Destination controller to cache node topology metadata (thanks
  @fpetkovski)
• Updated the CLI to handle API errors without printing the CLI usage (thanks
  @piyushsingariya)
• Updated the Web UI to only display the "Gateway" sidebar link when the
  multicluster extension is active
• Fixed the Web UI on Chrome v88 (thanks @kellycampbell)
• Improved install and uninstall behavior for extensions to prevent
  control-plane components from being left in a broken state
• Docker images are now hosted on the cr.l5d.io registry
• Updated base docker images to buster-20210208-slim
• Updated the Go version to 1.14.15
• Updated the proxy to prevent outbound connections to localhost to protect
  against traffic loops

edge-21.2.2

This edge release introduces support for multicluster TCP!

The repair command was added which will repopulate resources needed for
upgrading from a 2.9.x installation. There will be an error message during the
upgrade process indicating that this command should be run so that users do not
need to guess.

Lastly, it contains a breaking change for Helm users. The global field has
been removed from the Helm chart now that it is no longer needed. Users will
need to pass in the identity certificates again—along with any other
customizations, no longer rooted at global.

• Breaking change: Removed the Global field from the Linkerd Helm chart
  now that it is unused because of the extension model
• Added the repair command which will repopulate resources needed for properly
  upgrading a Linkerd installation
• Fixed the spelling of the sidecarContainers key in the Viz extension Helm
  chart to match that of the template (thanks @n-oden!)
• Added the tapInjector.logLevel key to the Viz extension helm chart so that
  the log level of the component can be configured
• Removed the --disable-tap flag from the inject command now that tap is no
  longer part of the core installation (thanks @mayankshah1607!)
• Changed proxy configuration to use fully-qualified DNS names to avoid extra
  search paths in DNS resolutions
• Changed the check command to include each installed extension's check
  output; this allows users to check for proper configuration and installation
  of Linkerd without running a command for each extension
• Added proxy support for TCP traffic to the multicluster gateways

stable-2.9.3

This stable release fixes an issue that prevented the proxy from being able
to speak HTTP/1 with older versioned proxies. It also fixes an issue where the
linkerd-config-overrides secret would be deleted during upgrade and provides
a linkerd repair command for restoring it if it has been deleted.

• Fixed an issue that could cause the inbound proxy to fail meshed HTTP/1
  requests from older proxies (from the stable-2.8.x vintage)
• Fixed an issue where the Linkerd webhooks and apiservices would not refresh
  their certs automatically when provided externally — like through cert-manager
• Added missing label linkerd.io/control-plane-ns to the
  linkerd-config-overrides secret to prevent it from being pruned during
  upgrades
• Added linkerd repair command to restore the linkerd-config-overrides
  secret if it has been pruned
• Added port 5432 which is used by Amazon RDS and Postgres to the default list
  of skipped ports

edge-21.2.1

This edge release continues improving the proxy's diagnostics and also avoids
timing out when the HTTP protocol detection fails. Additionally, old resource
versions were upgraded to avoid warnings in k8s v1.19. Finally, it comes with
lots of CLI improvements detailed below.

• Improved the proxy's diagnostic metrics to help us get better insights into
  services that are in fail-fast
• Improved the proxy's HTTP protocol detection to prevent timeout errors
• Upgraded CRD and webhook config resources to get rid of warnings in k8s v1.19
  (thanks @mateiidavid!)
• Added viz components into the Linkerd Health Grafana charts
• Had the tap injector add a viz.linkerd.io/tap-enabled annotation when
  injecting a pod, which allowed providing clearer feedback for the linkerd tap command
• Had the jaeger injector add a jaeger.linkerd.io/tracing-enabled annotation
  when injecting a pod, which also allowed providing better feedback for the
  linkerd jaeger check command
• Improved the linkerd uninstall command so it fails gracefully when there
  still are injected resources in the cluster (a --force flag was provided
  too)
• Moved the linkerd profile --tap functionality into a new command linkerd viz profile --tap, given tap now belongs to the viz extension
• Expanded the linkerd viz check command to include data-plane checks
• Cleaned-up YAML in templates that was incompatible with SOPS (thanks
  @tkms0106!)

edge-21.1.4

This edge release continues to polish the Linkerd extension model and improves
the robustness of the opaque transport.

• Improved the consistency of behavior of the check commands between
  Linkerd extensions
• Fixed an issue where Linkerd extension commands could be run before the
  extension was fully installed
• Renamed some extension Helm charts for consistency:
  • jaeger -> linkerd-jaeger
  • linkerd2-multicluster -> linkerd-multicluster
  • linkerd2-multicluster-link -> linkerd-multicluster-link
• Fixed an issue that could cause the inbound proxy to fail meshed HTTP/1
  requests from older proxies (from the stable-2.8.x vintage)
• Changed opaque-port transport to be advertised via ALPN so that new proxies
  will not initiate opaque-transport connections to proxies from prior edge
  releases
• Added inbound proxy transport metrics with tls="passhtru" when forwarding
  non-mesh TLS connections
• Thanks to @hs0210 for adding new unit tests!

edge-21.1.3

This edge release improves proxy diagnostics and recovery in situations where
the proxy is temporarily unable to route requests. Additionally, the viz and
multicluster CLI sub-commands have been updated for consistency.

Full release notes:

• Added Helm-style set, set-string, values, set-files customization
  flags for the linkerd install and linkerd multicluster install commands
• Fixed an issue where linkerd metrics could return metrics for the incorrect
  set of pods when there are overlapping label selectors
• Added tap-injector to linkerd-viz which is responsible for adding the tap
  service name environment variable to the Linkerd proxy container
• Improved diagnostics when the proxy is temporarily unable to route requests
• Made proxy recovery for a service more robust when the proxy is unable to
  route requests, even when new requests are being received
• Added client and server prefixes in the proxy logs for socket-level errors
  to indicate which side of the proxy encountered the error
• Improved jaeger-injector reliability in environments with many resources by
  adding watch RBAC permissions
• Added check to confirm whether the jaeger-injector pod is in running state
  (thanks @yashvardhan-kukreja!)
• Fixed a crash in the destination controller when EndpointSlices are enabled
  (thanks @oleh-ozimok!)
• Added a linkerd viz check sub-command to verify the states of the
  linkerd-viz components
• Added a log-format flag to optionally output the control plane component log
  output as JSON (thanks @mo4islona!)
• Updated the logic in the metrics and profile subcommands to use the
  namespace specified by the current-context of the KUBECONFIG so that it is
  no longer necessary to use the --namespace flag to query resources in the
  current namespace. Queries for resources in namespaces other than the
  current namespace still require the --namespace flag
• Added new pod 'linkerd-metrics-api' set up by linkerd viz install that
  manages all functionality dependent on Prometheus, thus removing most of the
  dependencies on Prometheus from the linkerd core installation
• Removed need to have linkerd-viz installed for the
  linkerd multicluster check command to properly work.