edge-21.1.2

This edge release continues the work on decoupling non-core Linkerd components.
Commands that use the viz extension i.e, dashboard, edges, routes,
stat, tap and top are moved to the viz sub-command. These commands are still
available under root but are marked as deprecated and will be removed in a
later stable release.

This release also upgrades the proxy's dependencies to the Tokio v1 ecosystem.

• Moved sub-commands that use the viz extension under viz
• Started ignoring pods with Succeeded status when watching IP addresses
  in destination. This allows the re-use of IPs of terminated pods
• Support Bring your own Jaeger use-case by adding collector.jaegerAddr in
  the Jaeger extension.
• Fixed an issue with the generation of working manifests in the
  podAntiAffinity use-case
• Added support for the modification of proxy resources in the viz
  extension through values.yaml in Helm and flags in CLI.
• Improved error reporting for port-forward logic with namespace
  and pod data, used across dashboard, checks, etc
  (thanks @piyushsingariya)
• Added support to disable the rendering of linkerd-viz namespace
  resource in the viz extension (thanks @nlamirault)
• Made service-profile generation work offline with --ignore-cluster
  flag (thanks @piyushsingariya)
• Upgraded the proxy's dependencies to the Tokio v1 ecosystem

Warning: there is a known issue where upgrading to this release with the --prune flag as described in the Linkerd Upgrade documentation will delete certain Linkerd configuration and prevent you from performing any subsequent upgrades. It is highly recommended that you skip this version and instead upgrade directly to stable-2.9.3 or later. If you have already upgraded to this version, you can repair your installation by upgrading your CLI to stable-2.9.3 and using the linkerd repair command.

stable-2.9.2

This stable release fixes an issue that stops traffic to a pod when there is an
IP address conflict with another pod that is not in a running state.

It also fixes an upgrade issue when using HA that would lead to values being
overridden.

edge-21.1.1

This edge release introduces a new "opaque transport" feature that allows the
proxy to securely transport server-speaks-first and otherwise opaque TCP
traffic. Using the config.linkerd.io/opaque-ports annotation on pods and
namespaces, users can configure ports that should skip the proxy's protocol
detection.

Additionally, a new linkerd-viz extension has been introduced that separates
the installation of the Grafana, Prometheus, web, and tap components. This
extension closely follows the Jaeger and multicluster extensions; users can
install and uninstall with the linkerd viz .. command as well as configure
for HA with the --ha flag.

The linkerd viz install command does not have any cli flags to customize the
install directly, but instead follows the Helm way of customization by using
flags such as set, set-string, values, set-files.

Finally, a new /shutdown admin endpoint that may only be accessed over the
loopback network has been added. This allows batch jobs to gracefully terminate
the proxy on completion. The linkerd-await utility can be used to automate
this.

• Added a new linkerd multicluster check command to validate that the
  linkerd-multicluster extension is working correctly
• Fixed description in the linkerd edges command (thanks @jsoref!)
• Moved the Grafana, Prometheus, web, and tap components into a new Viz chart,
  following the same extension model that multicluster and Jaeger follow
• Introduced a new "opaque transport" feature that allows the proxy to securely
  transport server-speaks-first and otherwise opaque TCP traffic
• Removed the check comparing the ca.crt field in the identity issuer secret
  and the trust anchors in the Linkerd config; these values being different is
  not a failure case for the linkerd check command (thanks @cypherfox!)
• Removed the Prometheus check from the linkerd check command since it now
  depends on a component that is installed with the Viz extension
• Fixed error messages thrown by the cert checks in linkerd check (thanks
  @pradeepnnv!)
• Added PodDisruptionBudgets to the control plane components so that they cannot
  be all terminated at the same time during disruptions (thanks @tustvold!)
• Fixed an issue that displayed the wrong linkerd.io/proxy-version when it is
  overridden by annotations (thanks @mateiidavid!)
• Added support for custom registries in the linkerd-viz helm chart (thanks
  @jimil749!)
• Renamed proxy-mutator to jaeger-injector in the linkerd-jaeger extension
• Added a new /shutdown admin endpoint that may only be accessed over the
  loopback network allowing batch jobs to gracefully terminate the proxy on
  completion
• Introduced the linkerd identity command, used to fetch the TLS certificates
  for injected pods (thanks @jimil749)
• Fixed an issue with the CNI plugin where it was incorrectly terminating and
  emitting error events (thanks @mhulscher!)
• Re-added support for non-LoadBalancer service types in the
  linkerd-multicluster extension

edge-20.12.4

This edge release adds support for the config.linkerd.io/opaque-ports
annotation on pods and namespaces, to configure ports that should skip the
proxy's protocol detection. In addition, it adds new CLI commands related to the
linkerd-jaeger extension, fixes bugs in the CLI install and upgrade
commands and Helm charts, and fixes a potential false positive in the proxy's
HTTP protocol detection. Finally, it includes improvements in proxy performance
and memory usage, including an upgrade for the proxy's dependency on the Tokio
async runtime.

• Added support for the config.linkerd.io/opaque-ports annotation on pods and
  namespaces, to indicate to the proxy that some ports should skip protocol
  detection
• Fixed an issue where linkerd install --ha failed to honor flags
• Fixed an issue where linkerd upgrade --ha can override existing configs
• Added missing label to the linkerd-config-overrides secret to avoid breaking
  upgrades performed with the help of kubectl apply --prune
• Added a missing icon to Jaeger Helm chart
• Added new linkerd jaeger check CLI command to validate that the
  linkerd-jaeger extension is working correctly
• Added new linkerd jaeger uninstall CLI command to print the linkerd-jaeger
  extension's resources so that they can be piped into kubectl delete
• Fixed an issue where the linkerd-cni daemgitonset may not be installed on all
  intended nodes, due to missing tolerations to the linkerd-cni Helm chart
  (thanks @rish-onesignal!)
• Fixed an issue where the tap APIServer would not refresh its certs
  automatically when provided externally—like through cert-manager
• Changed the proxy's cache eviction strategy to reduce memory consumption,
  especially for busy HTTP/1.1 clients
• Fixed an issue in the proxy's HTTP protocol detection which could cause false
  positives for non-HTTP traffic
• Increased the proxy's default dispatch timeout to 5 seconds to accomodate
  connection pools which might open conenctions without immediately making a
  request
• Updated the proxy's Tokio dependency to v0.3

edge-20.12.3

This edge release is functionally the same as edge-20.12.2. It fixes an issue
that prevented the release build from occurring.

Warning: there is a known issue where upgrading to this release with the --prune flag as described in the Linkerd Upgrade documentation will delete certain Linkerd configuration and prevent you from performing any subsequent upgrades. It is highly recommended that you skip this version and instead upgrade directly to stable-2.9.3 or later. If you have already upgraded to this version, you can repair your installation by upgrading your CLI to stable-2.9.3 and using the linkerd repair command.

stable-2.9.1

This stable release contains a number of proxy enhancements: better support for
high-traffic workloads, improved performance by eliminating unnecessary endpoint
resolutions for TCP traffic and properly tearing down serverside connections
when errors occur, and reduced memory consumption on proxies which maintain many
idle connections (such as Prometheus' proxy).

On the CLI and control plane sides, it relaxes checks on root and intermediate
certificates (following X509 best practices), and fixes two issues: one that
prevented installation of the control plane into a custom namespace and one
which failed to update endpoint information when a headless service was
modified.

• Proxy:

  • Addressed some issues reported around clients seeing max-concurrency errors
    by increasing the default in-flight request limit to 100K pending requests
  • Reduced the default idle connection timeout to 5s for outbound clients and
    for inbound clients to reduce the proxy's memory footprint, especially on
    Prometheus instances
  • Fixed an issue where the proxy did not receive updated endpoint information
    when a headless service was modified
  • Added HTTP/2 keepalive PING frames
  • Removed logic to avoid redundant TCP endpoint resolution
  • Fixed an issue where serverside connections were not torn down when an error
    occurred

• CLI / Helm / Control Plane:

  • Fixed a CLI issue where the linkerd-namespace flag was not honored when
    passed to the install and upgrade commands
  • Fixed installing HA through the CLI (linkerd install --ha) that wasn't
    honoring some of the default settings found in values-ha.yml
  • Force the webhook pods (proxy-injector, sp-validator and tap) to be
    restarted when upgrading through the CLI, if a secret they rely on changes
  • Fixed multicluster installation using Helm (thanks @DaspawnW!)
  • Updated linkerd check so that it doesn't attempt to validate the subject
    alternative name (SAN) on root and intermediate certificates. SANs for leaf
    certificates will continue to be validated
  • Fixed an issue in the destination service where endpoints always included a
    protocol hint, regardless of the controller label being present or not
  • Removed the get and logs command from the CLI
  • No longer panic in rare cases when linkerd-config doesn't have an entry
    for Global configs (thanks @hodbn!)

edge-20.12.1

This edge release continues the work of decoupling non-core Linkerd components
by moving more tracing related functionality into the Linkerd-jaeger extension.

• Continued work on moving tracing functionality from the main control plane
  into the linkerd-jaeger extension
• Fixed a potential panic in the proxy when looking up a socket's peer address
  while under high load
• Added automatic readme generation for charts (thanks @GMarkfjard!)
• Fixed zsh completion for the CLI (thanks @jiraguha!)
• Added support for multicluster gateways of types other than LoadBalancer
  (thanks @DaspawnW!)

edge-20.11.5

This edge release improves the proxy's support for high-traffic workloads. It also
contains the first steps towards decoupling non-core Linkerd components, the
first iteration being a new linkerd jaeger sub-command for installing tracing.
Please note this is still a work in progress.

• Addressed some issues reported around clients seeing max-concurrency errors by
  increasing the default in-flight request limit to 100K pending requests
• Have the proxy appropriately set content-type when synthesizing gRPC error
  responses
• Bumped the proxy-init image to v1.3.8 which is based off of
  buster-20201117-slim to reduce potential security vulnerabilities
• No longer panic in rare cases when linkerd-config doesn't have an entry for
  Global configs (thanks @hodbn!)
• Work in progress: the /jaeger directory now contains the charts and commands
  for installing the tracing component.

edge-20.11.4

• Fixed an issue in the destination service where endpoints always included a
  protocol hint, regardless of the controller label being present or not

edge-20.11.3

This edge release improves support for CNI by properly handling parameters
passed to the nsenter command, relaxes checks on root and intermediate
certificates (following X509 best practices), and fixes two issues: one that
prevented installation of the control plane into a custom namespace and one
which failed to update endpoint information when a headless service is modified.
This release also improves linkerd proxy performance by eliminating unnecessary
endpoint resolutions for TCP traffic and properly tearing down serverside
connections when errors occur.

• Added HTTP/2 keepalive PING frames
• Removed logic to avoid redundant TCP endpoint resolution
• Fixed an issue where serverside connections were not torn down when an error
  occurs
• Updated linkerd check so that it doesn't attempt to validate the subject
  alternative name (SAN) on root and intermediate certificates. SANs for leaf
  certificates will continue to be validated
• Fixed a CLI issue where the linkerd-namespace flag is not honored when
  passed to the install and upgrade commands
• Fixed an issue where the proxy does not receive updated endpoint information
  when a headless service is modified
• Updated the control plane Docker images to use buster-20201117-slim to
  reduce potential security vulnerabilities
• Updated the proxy-init container to v1.3.7 which fixes CNI issues in certain
  environments by properly parsing nsenter args