edge-20.7.2

This edge release moves Linkerd's bundled Prometheus into an add-on. This makes
the Linkerd Prometheus more configurable, gives it a separate upgrade lifecycle
from the rest of the control plane, and will allow users to disable the bundled
Prometheus instance. In addition, this release includes fixes for several
issues, including a regression where the proxy would fail to report OpenCensus
spans.

• Prometheus is now an optional add-on, enabled by default
• Custom tolerations can now be specified for control plane resources when
  installing with Helm (thanks @DesmondH0!)
• Evicted data plane pods are no longer considered to be failed by
  linkerd check --proxy, fixing an issue where the check would be retried
  indefinitely as long as evicted pods are present
• Fixed a regression where proxy spans were not reported to OpenCensus
• Fixed a bug where the proxy injector would fail to render skipped port lists
  when installed with Helm
• Internal improvements to the proxy for lower latencies under high concurrency
• Thanks to @Hellcatlk and @surajssd for adding new unit tests and spelling
  fixes!

edge-20.7.1

This edge release features the option to persist prometheus data to a volume
instead of memory, so that historical metrics are available when prometheus is
restarted. Additional changes are outlined in the bullet points below.

• Some commands like linkerd stat would fail if any control plane components
  were unhealthy, even when other replicas are healthy. The check conditions
  for these commands have been improved
• The helm chart can now configure persistent storage for Prometheus
  (thanks @naseemkullah!)
• The proxy log output format can now be configured to plain or json using
  the config.linkerd.io/proxy-log-format annotation or the
  global.proxy.logFormat value in the helm chart
  (thanks again @naseemkullah!)
• linkerd install --addon-config= now supports URLs in addition to local
  files
• The CNI Helm chart used the incorrect variable name to determine the createdBy
  version tag. This is now controlled by cniPluginVersion in the helm chart
• The proxy's default buffer size has been increased, which reduces latency when
  the proxy has many concurrent clients

edge-20.6.4

This edge release moves the proxy onto a new version of the Tokio runtime. This
allows us to more easily integrate with the ecosystem and may yield performance
benefits as well.

• Upgraded the proxy's underlying Tokio runtime and its related libraries
• Added support for PKCS8 formatted ECDSA private keys
• Added support for Helm configuration of per-component proxy resources requests
  and limits (thanks @cypherfox!)
• Updated the linkerd inject command to throw an error while injecting
  non-compliant pods (thanks @mayankshah1607)

stable-2.8.1

This release fixes multicluster gateways support on EKS.

• The multicluster service-mirror has been extended to resolve DNS names for
  target clusters when an IP address is not known.
• Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger
  for providing a fix!
• Have the service mirror controller check in linkerd check retry on failures.
• As of this version we're including a Chocolatey package (Windows) next to the
  other binaries in the release assets in GitHub.
• Base images have been updated:
  • debian:buster-20200514-slim
  • grafana/grafana:7.0.3
• The shell scripts under bin continued to be improved, thanks to @joakimr-axis!

edge-20.6.3

This edge release is a release candidate for stable-2.8.1. It includes a fix
to support multicluster gateways on EKS.

• The config.linkerd.io/proxy-destination-get-networks annotation configures
  the networks for which a proxy can discover metadata. This is an advanced
  configuration option that has security implications.
• The multicluster service-mirror has been extended to resolve DNS names for
  target clusters when an IP address it not known.
• Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger
  for providing a fix!
• The CLI will be published for Chocolatey (Windows) on future stable releases.
• Base images have been updated:
  • debian:buster-20200514-slim
  • grafana/grafana:7.0.3

stable-2.8.0

This release introduces new a multi-cluster extension to Linkerd, allowing it
to establish connections across Kubernetes clusters that are secure,
transparent to the application, and work with any network topology.

• The CLI has a new set of linkerd multicluster sub-commands that provide
  tooling to create the resources needed to discover services across
  Kubernetes clusters.
• The linkerd multicluster gateways command exposes gateway-specific
  telemetry to supplement the existing stat and tap commands.
• The Linkerd-provided Grafana instance remains enabled by default, but it can
  now be disabled. When it is disabled, the Linkerd dashboard can be
  configured to link to an alternate, externally-managed Grafana instance.
• Jaeger & OpenCensus are configurable as an add-on; and the
  proxy has been improved to emit spans with labels that reflect its pod's
  metadata.
• The linkerd-cni component has been promoted from experimental to
  stable.
• linkerd profile --open-api now honors the x-linkerd-retryable and
  x-linkerd-timeout OpenAPI annotations.
• The Helm chart continues to become more flexible and modular, with new
  Prometheus configuration options. More information is available in the
  Helm chart README.
• gRPC stream error handling has been improved so that transport errors
  are indicated to the client with a grpc-status: UNAVAILABLE trailer.
• The proxy's memory footprint could grow significantly when
  server-speaks-first-protocol connections hit the proxy. Now, a timeout is
  in place to prevent these connections from consuming resources.
• After benchmarking the proxy in high-concurrency situations, the inbound
  proxy has been improved to reduce contention, improving latency and
  reducing spurious timeouts.
• The proxy could fail requests to services that had only 1 request every 60
  seconds. This race condition has been eliminated.
• Finally, users reported that ingress misconfigurations could cause the proxy
  to consume an entire CPU which could lead to timeouts. The proxy now
  attempts to prevent the most common traffic-loop scenarios to protect against
  this.

NOTE: Linkerd's multicluster extension does not yet work on Amazon
EKS. We expect to follow this release with a stable-2.8.1 to address this
issue. Follow #4582 for updates.

This release includes changes from a massive list of contributors. A special
thank-you to everyone who helped make this release possible: @aliariff,
@amariampolskiy, @arminbuerkle, @ArthurSens, @christianhuening,
@christyjacob4, @cypherfox, @daxmc99, @dr0pdb, @drholmie, @hydeenoble,
@joakimr-axis, @jpresky, @kohsheen1234, @lewiscowper, @lundbird, @matei207,
@mayankshah1607, @mmiller1, @naseemkullah, @sannimichaelse, & @supra08.

edge-20.6.2

This edge release is our second release candidate for stable-2.8, including
various fixes and improvements around multicluster support.

• CLI
  • Fixed bad output in the linkerd multicluster gateways command
  • Improved the error returned when running the CLI with no KUBECONFIG path set
    (thanks @Matei207!)
• Controller
  • Fixed issue where mirror service wasn't created when paired to a gateway
    whose external IP wasn't yet provided
  • Fixed issue where updating the gateway identity annotation wasn't propagated
    back into the mirror gateway endpoints object
  • Fixed issue where updating the gateway ports wasn't reflected in the gateway
    mirror service
  • Increased the log level for some of the service mirror events
  • Changed the nginx gateway config so that it runs as non-root and denies all
    requests to locations other than the probe path
• Web UI
  • Fixed multicluster Grafana dashboard
• Internal
  • Added flag in integration tests to dump fixture diffs into a separate
    directory (thanks @cypherfox!)

edge-20.6.1

This edge release is a release candidate for stable-2.8! It introduces several
improvements and fixes for multicluster support.

• CLI
  • Added multicluster daisy chain checks to linkerd check
  • Added list of successful gateways in multicluster checks section of linkerd check
• Controller
  • Renamed nginx-configuration ConfigMap to linkerd-gateway-config (please
    manually remove the former if upgrading from an earlier multicluster
    install, thanks @mayankshah1607!)
  • Renamed multicluster gateway ports to mc-gateway and mc-probe
  • Fixed Service Profiles routes for linkerd-prometheus
• Internal
  • Fixed shellcheck errors in all bin/ scripts (thanks @joakimr-axis!)
• Helm
  • Added support for linkerd mc allow
  • Added ability to disable secret rescources for self-signed certs (thanks
    @cypherfox!)
• Proxy
  • Modified the linkerd-gateway component to use the inbound proxy, rather
    than nginx, for gateway; this allows Linkerd to detect loops and propogate
    identity

edge-20.5.5

This edge release adds refinements to the Linkerd multicluster implementation,
adds new health checks for the tracing add-on, and addresses an issue in which
outbound requests from the proxy result in looping behavior.

• CLI
  • Added the multicluster command along with subcommands to configure and
    deploy Linkerd workloads which enable services to be mirrored across
    clusters
  • Added health-checks for tracing add-on
• Proxy
  • Added logic to prevent loops in outbound requests

edge-20.5.4

• CLI
  • Fixed the display of the meshed pod column for non-selector services in
    linkerd stat output
  • Added an addon-overwrite upgrade flag which allows users to overwrite the
    existing addon config rather than merging into it
  • Added a --close-wait-timeout inject flag which sets the
    nf_conntrack_tcp_timeout_close_wait property which can be used to mitigate
    connection issues with application that hold half-closed sockets
• Controller
  • Restricted the service-mirror's RBAC permissions so that it no longer is
    able to read secrets in all namespaces
  • Moved many multicluster components into the linkerd-multicluster namespace
    by default
  • Added multicluster gateway mirror services to allow multicluster liveness
    probes to work in private networks
  • Fixed an issue where multicluster gateway mirror services could be
    incorrectly deleted during a resync
• Internal
  • Fixed many style issues in build scripts (thanks @joakimr-axis!)
• Helm
  • Added global.grafanaUrl variable to allow using an existing Grafana
    installation