edge-20.3.3

This release introduces new experimental CLI commands for querying metrics using
the Service Mesh Interface (SMI) and for multi-cluster support via service
mirroring.

If you would like to learn more about service mirroring or SMI, or are
interested in experimenting with these features, please join us in
Linkerd Slack for help and feedback.

• CLI
  • Added experimental linkerd cluster commands for managing multi-cluster
    service mirroring
  • Added the experimental linkerd alpha clients command, which uses the
    smi-metrics API to display client-side metrics from each of a resource's
    clients
  • Added retries to some linkerd check checks to prevent spurious failures
    when run immediately after cluster creation or Linkerd installation

edge-20.3.2

This release introduces substantial proxy improvements as well as
new observability and security functionality.

• CLI
  • Added the linkerd alpha stat command, which uses the smi-metrics
    API; the latter enables access to metrics to be controlled with RBAC
• Controller
  • Added support for configuring service profile timeouts
    (x-linkerd-timeout) via OpenAPI spec (thanks @lewiscowper!)
• Web UI
  • Improved the Grafana dashboards to use a globing operator for Prometheus in
    order to avoid producing queries that are too large (thanks @mmiller1!)
• Helm
  • Improved the linkerd2 chart README (thanks @lundbird!)
• Proxy
  • Fixed a bug that could cause log levels to be processed incorrectly

edge-20.3.1

This release introduces new functionality mainly focused around
observability and multi-cluster support via service mirroring.

If you would like to learn more about service mirroring or are interested in
experimenting with this feature, please join us in Linkerd Slack for help and feedback.

• CLI
  • Improved the linkerd check command to check for extension server
    certificate (thanks @christyjacob4!)
• Controller
  • Removed restrictions preventing Linkerd from injecting proxies into
    Contour (thanks @alfatraining!)
  • Added an experimental version of a service mirroring controller, allowing
    discovery of services on remote clusters.
• Web UI
  • Fixed a bug causing incorrect Grafana links to be rendered in the web
    dashboard.
• Proxy
  • Fixed a bug that could cause the proxy's load balancer to stop processing
    updates from service discovery.

This release introduces the first optional add-on tracing, added through the
new add-on model!

The existing optional tracing components Jaeger and OpenCensus can now be
installed as add-on components.

There will be more information to come about the new add-on model, but please
refer to the details of #3955 for how to get started.

• CLI
  • Added the linkerd diagnostics command to get metrics only from the
    control plane, excluding metrics from the data plane proxies (thanks
    @srv-twry!)
  • Added the linkerd install --prometheus-image option for installing a
    custom Prometheus image (thanks @christyjacob4!)
  • Fixed an issue with linkerd upgrade where changes to the Namespace
    object were ignored (thanks @supra08!)
• Controller
  • Added the tracing add-on which installs Jaeger and OpenCensus as add-on
    components (thanks @Pothulapati!!)
• Proxy
  • Increased the inbound router's default capacity from 100 to 10k to
    accommodate environments that have a high cardinality of virtual hosts
    served by a single pod
• Web UI
  • Fixed styling in the CallToAction banner (thanks @aliariff!)

This release includes the results from continued profiling & performance
analysis on the Linkerd proxy. In addition to modifying internals to prevent
unwarranted memory growth, new metrics were introduced to aid in debugging and
diagnostics.

Also, Linkerd's CNI plugin is out of experimental, check out the docs at
https://linkerd.io/2/features/cni/ !

• CLI

  • Added support for label selectors in the linkerd stat command (thanks
    @mayankshah1607!)
  • Added scrolling functionality to the linkerd top output (thanks
    @kohsheen1234!)
  • Fixed bug in linkerd metrics that was causing a panic when port-forwarding
    failed (thanks @mayankshah1607!)
  • Added check to linkerd check verifying the number of replicas for Linkerd
    components in HA (thanks @mayankshah1607!)
  • Unified trust anchors terminology across the CLI commands
  • Removed some messages from linkerd upgrade's output that are no longer
    relevant (thanks @supra08!)

• Controller

  • Added support for configuring service profile retries
    (x-linkerd-retryable) via OpenAPI spec (thanks @kohsheen1234!)
  • Improved traffic split metrics so sources in all namespaces are shown, not
    just traffic from the traffic split's own namespace
  • Improved linkerd-identity's logs and events to help diagnosing certificate
    validation issues (thanks @mayankshah1607!)

• Proxy

  • Added request_errors_total metric exposing the number of requests that
    receive synthesized responses due to proxy errors

• Helm

  • Added a new enforcedHostRegexp variable to allow configuring the
    linkerd-web component enforced host (that was previously introduced to
    protect against DNS rebinding attacks) (thanks @sannimichaelse!)

• Internal

  • Removed various es-lint warnings from the dashboard code (thanks
    @christyjacob4 and @kohsheen1234!)
  • Fixed go module file syntax (thanks @daxmc99!)

This release adds support for integrating Linkerd's PKI with an external certificate issuer such as cert-manager as well as streamlining the certificate rotation process in general. For more details about cert-manager and certificate rotation, see the docs. This release also includes performance improvements to the dashboard, reduced memory usage of the proxy, various improvements to the Helm chart, and much much more.

To install this release, run: curl https://run.linkerd.io/install | sh

Upgrade notes: This release includes breaking changes to our Helm charts.
Please see the upgrade instructions.

Special thanks to: @alenkacz, @bmcstdio, @daxmc99, @droidnoob, @ereslibre,
@javaducky, @joakimr-axis, @JohannesEH, @KIVagant, @mayankshah1607,
@Pothulapati, and @StupidScience!

Full release notes:

• CLI
  • Updated the mTLS trust anchor checks to eliminate false positives caused by
    extra trailing spaces
  • Reduced the severity level of the Linkerd version checks, so that they
    don't fail when the external version endpoint is unreachable
    (thanks @mayankshah1607!)
  • Added a new tap APIService check to aid with uncovering Kubernetes API
    aggregatation layer issues (thanks @droidnoob!)
  • Introduced CNI checks to confirm the CNI plugin is installed and ready;
    this is done through linkerd check --pre --linkerd-cni-enabled before
    installation and linkerd check after installation if the CNI plugin is
    present
  • Added support for the --as-group flag so that users can impersonate
    groups for Kubernetes operations (thanks @mayankshah1607!)
  • Added HA specific checks to linkerd check to ensure that the kube-system
    namespace has the config.linkerd.io/admission-webhooks:disabled
    label set
  • Fixed a problem causing the presence of unnecessary empty fields in
    generated resource definitions (thanks @mayankshah1607)
  • Added the ability to pass both port numbers and port ranges to
    --skip-inbound-ports and --skip-outbound-ports (thanks to @javaducky!)
  • Increased the comprehensiveness of linkerd check --pre
  • Added TLS certificate validation to check and upgrade commands
  • Added support for injecting CronJobs and ReplicaSets, as well as the ability
    to use them as targets in the CLI subcommands
  • Introduced the new flags --identity-issuer-certificate-file,
    --identity-issuer-key-file and identity-trust-anchors-file to linkerd upgrade to support trust anchor and issuer certificate rotation
  • Added a check that ensures using --namespace and --all-namespaces
    results in an error as they are mutually exclusive
  • Added a Dashboard.Replicas parameter to the Linkerd Helm chart to allow
    configuring the number of dashboard replicas (thanks @KIVagant!)
  • Removed redundant service profile check (thanks @alenkacz!)
  • Updated uninject command to work with namespace resources
    (thanks @mayankshah1607!)
  • Added a new --identity-external-issuer flag to linkerd install that
    configures Linkerd to use certificates issued by an external certificate
    issuer (such as cert-manager)
  • Added support for injecting a namespace to linkerd inject (thanks
    @mayankshah1607!)
  • Added checks to linkerd check --preinstall ensuring Kubernetes Secrets
    can be created and accessed
  • Fixed linkerd tap sometimes displaying incorrect pod names for unmeshed
    IPs that match multiple running pods
  • Made linkerd install --ignore-cluster and --skip-checks faster
  • Fixed a bug causing linkerd upgrade to fail when used with
    --from-manifest
  • Made --cluster-domain an install-only flag (thanks @bmcstdio!)
  • Updated check to ensure that proxy trust anchors match configuration
    (thanks @ereslibre!)
  • Added condition to the linkerd stat command that requires a window size
    of at least 15 seconds to work properly with Prometheus
• Controller
  • Fixed an issue where an override of the Docker registry was not being
    applied to debug containers (thanks @javaducky!)
  • Added check for the Subject Alternate Name attributes to the API server
    when access restrictions have been enabled (thanks @javaducky!)
  • Added support for arbitrary pod labels so that users can leverage the
    Linkerd provided Prometheus instance to scrape for their own labels
    (thanks @daxmc99!)
  • Fixed an issue with CNI config parsing
  • Fixed a race condition in the linkerd-web service
  • Updated Prometheus to 2.15.2 (thanks @Pothulapati)
  • Increased minimum kubernetes version to 1.13.0
  • Added support for pod ip and service cluster ip lookups in the destination
    service
  • Added recommended kubernetes labels to control-plane
  • Added the --wait-before-exit-seconds flag to linkerd inject for the proxy
    sidecar to delay the start of its shutdown process (a huge commit from
    @KIVagant, thanks!)
  • Added a pre-sign check to the identity service
  • Fixed inject failures for pods with security context capabilities
  • Added conntrack to the debug container to help with connection tracking
    debugging
  • Fixed a bug in tap where mismatch cluster domain and trust domain caused
    tap to hang
  • Fixed an issue in the identity RBAC resource which caused start up errors
    in k8s 1.6 (thanks @Pothulapati!)
  • Added support for using trust anchors from an external certificate issuer
    (such as cert-mananger) to the linkerd-identity service
  • Added support for headless services (thanks @JohannesEH!)
• Helm
  • Breaking change: Renamed noInitContainer parameter to cniEnabled
  • Breaking Change Updated Helm charts to follow best practices (thanks
    @Pothulapati and @javaducky!)
  • Fixed an issue with helm install where the lists of ignored inbound and
    outbound ports would not be reflected
  • Fixed the linkerd-cni Helm chart not setting proper namespace annotations
    and labels
  • Fixed certificate issuance lifetime not being set when installing through
    Helm
  • Updated the helm build to retain previous releases
  • Moved CNI template into its own Helm chart
• Proxy
  • Fixed an issue that could cause the OpenCensus exporter to stall
  • Improved error classification and error responses for gRPC services
  • Fixed a bug where the proxy could stop receiving service discovery updates,
    resulting in 503 errors
  • Improved debug/error logging to include detailed contextual information
  • Fixed a bug in the proxy's logging subsystem that could cause the proxy to
    consume memory until the process is OOM killed, especially when the proxy was
    configured to log diagnostic information
  • Updated proxy dependencies to address RUSTSEC-2019-0033, RUSTSEC-2019-0034,
    and RUSTSEC-2020-02
• Web UI
  • Fixed an error when refreshing an already open dashboard when the Linkerd
    version has changed
  • Increased the speed of the dashboard by pausing network activity when the
    dashboard is not visible to the user
  • Added support for CronJobs and ReplicaSets, including new Grafana dashboards
    for them
  • Added linkerd check to the dashboard in the /controlplane view
  • Added request and response headers to the tap expanded view in the
    dashboard
  • Added filter to namespace select button
  • Improved how empty tables are displayed
  • Added Host: header validation to the linkerd-web service, to protect
    against DNS rebinding attacks
  • Made the dashboard sidebar component responsive
  • Changed the navigation bar color to the one used on the Linkerd website
• Internal
  • Added validation to incoming sidecar injection requests that ensures
    the value of linkerd.io/inject is either enabled or disabled
    (thanks @mayankshah1607)
  • Upgraded the Prometheus Go client library to v1.2.1 (thanks @daxmc99!)
  • Fixed an issue causing tap, injector and sp-validator to use
    old certificates after helm upgrade due to not being restarted
  • Fixed incomplete Swagger definition of the tap api, causing benign
    error logging in the kube-apiserver
  • Removed the destination container from the linkerd-controller deployment as
    it now runs in the linkerd-destination deployment
  • Allowed the control plane to be injected with the debug container
  • Updated proxy image build script to support HTTP proxy options
    (thanks @joakimr-axis!)
  • Updated the CLI doc command to auto-generate documentation for the proxy
    configuration annotations (thanks @StupidScience!)
  • Added new --trace-collector and --trace-collector-svc-account flags to
    linkerd inject that configures the OpenCensus trace collector used by
    proxies in the injected workload (thanks @Pothulapati!)
  • Added a new --control-plane-tracing flag to linkerd install that enables
    distributed tracing in the control plane (thanks @Pothulapati!)
  • Added distributed tracing support to the control plane (thanks
    @Pothulapati!)

This edge release is a release candidate for stable-2.7 and fixes an issue
where the proxy could consume inappropriate amounts of memory.

• Proxy
  • Fixed a bug in the proxy's logging subsystem that could cause the proxy to
    consume memory until the process is OOM killed, especially when the proxy was
    configured to log diagnostic information
  • Fixed properly emitting grpc-status headers when signaling proxy errors to
    gRPC clients
  • Updated certain proxy dependencies to address RUSTSEC-2019-0033,
    RUSTSEC-2019-0034, and RUSTSEC-2020-02

This edge release is a release candidate for stable-2.7.

The linkerd check command has been updated to improve the control plane
debugging experience.

• CLI
  • Updated the mTLS trust anchor checks to eliminate false positives caused by
    extra trailing spaces
  • Reduced the severity level of the Linkerd version checks, so that they
    don't fail when the external version endpoint is unreachable
    (thanks @mayankshah1607!)
  • Added a new tap APIService check to aid with uncovering Kubernetes API
    aggregation layer issues (thanks @droidnoob!)

edge-20.1.3

This edge release is a release candidate for stable-2.7.

An update to the Helm charts has caused a breaking change for users who
have installed Linkerd using Helm. In order to make the purpose of the
noInitContainer parameter more explicit it has been renamed to cniEnabled.

• CLI
  • Introduced CNI checks to confirm the CNI plugin is installed and ready;
    this is done through linkerd check --pre --linkerd-cni-enabled before
    installation and linkerd check after installation if the CNI plugin is
    present
  • Added support for the --as-group flag so that users can impersonate
    groups for Kubernetes operations (thanks @mayankshah160!)
• Controller
  • Fixed an issue where an override of the Docker registry was not being
    applied to debug containers (thanks @javaducky!)
  • Added check for the Subject Alternate Name attributes to the API server
    when access restrictions have been enabled (thanks @javaducky!)
  • Added support for arbitrary pod labels so that users can leverage the
    Linkerd provided Prometheus instance to scrape for their own labels
    (thanks @daxmc99!)
  • Fixed an issue with CNI config parsing
• Helm
  • Breaking change: Renamed noInitContainer parameter to cniEnabled
  • Fixed an issue with helm install where the lists of ignored inbound and
    outbound ports would not be reflected

• CLI
  • Added HA specific checks to linkerd check to ensure that the kube-system
    namespace has the config.linkerd.io/admission-webhooks:disabled
    label set
  • Fixed a problem causing the presence of unnecessary empty fields in
    generated resource definitions (thanks @mayankshah1607)
• Proxy
  • Fixed an issue that could cause the OpenCensus exporter to stall
• Internal
  • Added validation to incoming sidecar injection requests that ensures
    the value of linkerd.io/inject is either enabled or disabled
    (thanks @mayankshah1607)