This is an edge release of Linkerd! The latest stable release is stable-2.3.0

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

• CLI
  • New Added a linkerd edges command that shows the source and
    destination name and identity for proxied connections, to assist in
    debugging
  • Tap can now be disabled for specific pods during injection by using the
    --disable-tap flag, or by using the config.linkerd.io/disable-tap
    annotation
  • Introduced pre-install healthcheck for clock skew (thanks, @matej-g!)
• Controller
  • Added Controller Component Labels to the webhook config resources (thanks,
    @Pothulapati!)
  • Moved the tap service into its own pod
• Proxy
  • Fix an epoll notification issue that could cause excessive CPU usage
  • Added the ability to disable tap by setting an env var (thanks,
    @zaharidichev!)

• CLI
  • Fixed linkerd check and linkerd dashboard failing when any control plane
    pod is not ready, even when multiple replicas exist (as in HA mode)
• Controller
  • Fixed control plane components failing on startup when the Kubernetes API
    returns an ErrGroupDiscoveryFailed
• Proxy
  • Added a dispatch timeout that limits the amount of time a request can be
    buffered in the proxy
  • Removed the limit on the number of concurrently active service discovery
    queries to the Destination service

Special thanks to @zaharidichev for adding end to end tests for proxies with
TLS!

• CLI
  • Added a linkerd check config command for verifying that
    linkerd install config was successful
  • Improved the help documentation of linkerd install to clarify flag usage
  • Added support for private Kubernetes clusters by changing the CLI to connect
    to the control plane using a port-forward (thanks, @jackprice!)
• Controller
  • Fixed pod creation failure when a ResourceQuota exists by adding a default
    resource spec for the proxy-init init container
• Proxy
  • Replaced the fixed reconnect backoff with an exponential one (thanks,
    @zaharidichev!)
  • Fixed an issue where load balancers can become stuck
• Internal
  • Fixed integration tests by adding known proxy-injector log warning to tests

This is an edge release of Linkerd! The latest stable release is stable-2.3.0.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

Significant Update

As of this edge release the proxy injector component is always installed.
To have the proxy injector inject a pod you still can manually add the
linkerd.io/inject: enable annotation into the pod spec, or at the namespace
level to have all your pods be injected by default.
With this release the behavior of the linkerd inject command changes, where
the proxy sidecar container YAML is no longer included in its output by
default, but instead it will just add the annotations to defer the injection to
the proxy injector.
For use cases that require the full injected YAML to be output, a new
--manual flag has been added.

Another important update is the introduction of install stages. You still have
the old linkerd install command, but now it can be broken into
linkerd install config which installs the resources that require
cluster-level privileges, and linkerd install control-plane that continues
with the resources that only require namespace-level privileges.
This also applies to the linkerd upgrade command.

• CLI

  • Breaking Change: Removed the --proxy-auto-inject flag, as the
    proxy injector is now always installed
  • Breaking Change: Replaced the --linkerd-version flag with the
    --proxy-version flag in the linkerd install and linkerd upgrade
    commands, which allows setting the version for the injected proxy sidecar
    image, without changing the image versions for the control plane
  • Introduced install stages: linkerd install config and
    linkerd install control-plane
  • Introduced upgrade stages: linkerd upgrade config and
    linkerd upgrade control-plane
  • Introduced a new --from-manifests flag to linkerd upgrade allowing
    manually feeding a previously saved output of linkerd install into the
    command, instead of requiring a connection to the cluster to fetch the
    config
  • Introduced a new --manual flag to linkerd inject to output the proxy
    sidecar container spec
  • Introduced a new --enable-debug-sidecar option to linkerd inject, that
    injects a debug sidecar to inspect traffic to and from the meshed pod
  • Added a new check for unschedulable pods and PSP issues (thanks, @liquidslr!)
  • Disabled the spinner in linkerd check when running without a TTY
  • Ensured the ServiceAccount for the proxy injector is created before its
    Deployment to avoid warnings when installing the proxy injector
    (thanks, @dwj300!)

• Controller

  • Added Go pprof HTTP endpoints to all control plane components' admin
    servers to better assist debugging efforts
  • Fixed bug in the proxy injector, where sporadically the pod workload owner
    wasn't properly determined, which would result in erroneous stats
  • Added support for a new config.linkerd.io/disable-identity annotation to
    opt out of identity for a specific pod

• Web UI

  • Added the Font Awesome stylesheet locally; this allows both Font Awesome
    and Material-UI sidebar icons to display consistently with no/limited
    internet access (thanks again, @liquidslr!)

• Internal

  • Known container errors were hidden in the integration tests; now they are
    reported in the output, still without having the tests fail

Announcing Linkerd 2.3 🎈

This stable release introduces a new TLS-based service identity system into the
default Linkerd installation, replacing --tls=optional and the linkerd-ca
controller. Now, proxies generate ephemeral private keys into a tmpfs directory
and dynamically refresh certificates, authenticated by Kubernetes ServiceAccount
tokens, and tied to ServiceAccounts as the identity primitive.

In this release, all meshed HTTP communication is private and authenticated by
default.

Among the many improvements to the web dashboard, we've added a Community page
to surface news and updates from linkerd.io.

For more details, see the announcement blog post:
https://linkerd.io/2019/04/16/announcing-linkerd-2.3/

To install this release, run: curl https://run.linkerd.io/install | sh

Upgrade notes: The linkerd-ca controller has been removed in favor of the
linkerd-identity controller. If you had previously installed Linkerd with
--tls=optional, manually delete the linkerd-ca deployment after upgrading.
Also, --single-namespace mode is no longer supported. For full details on
upgrading to this release, please see the
upgrade instructions.

Special thanks to: @codeman9, @harsh-98, @huynq0911, @KatherineMelnyk,
@liquidslr, @paranoidaditya, @Pothulapati, @TwinProduction, and @yb172!

Full release notes:

• CLI
  • Introduced an upgrade command! This allows an existing Linkerd control
    plane to be reinstalled or reconfigured; it is particularly useful for
    automatically reusing flags set in the previous install or upgrade
  • Introduced the linkerd metrics command for fetching proxy metrics
  • Breaking Change: The --linkerd-cni-enabled flag has been removed from
    the inject command; CNI is configured at the cluster level with the
    install command and no longer applies to the inject command
  • Breaking Change Removed the --disable-external-profiles flag from the
    install command; external profiles are now disabled by default and can be
    enabled with the new --enable-external-profiles flag
  • Breaking change Removed the --api-port flag from the inject and
    install commands, since there's no benefit to running the control plane's
    destination API on a non-default port (thanks, @paranoidaditya)
  • Breaking change Removed the --tls=optional flag from the
    linkerd install command, since TLS is now enabled by default
  • Changed install to accept or generate an issuer Secret for the Identity
    controller
  • Changed install to fail in the case of a conflict with an existing
    installation; this can be disabled with the --ignore-cluster flag
  • Added the ability to adjust the Prometheus log level via
    --controller-log-level
  • Implemented --proxy-cpu-limit and --proxy-memory-limit for setting the
    proxy resources limits (--proxy-cpu and --proxy-memory were deprecated in
    favor of proxy-cpu-request and proxy-memory-request) (thanks @TwinProduction!)
  • Added a validator for the --proxy-log-level flag
  • Updated the inject and uninject subcommands to issue warnings when
    resources lack a Kind property (thanks @Pothulapati!)
  • The inject command proxy options are now converted into config
    annotations; the annotations ensure that these configs are persisted in
    subsequent resource updates
  • Changed inject to require fetching a configuration from the control plane;
    this can be disabled with the --ignore-cluster and --disable-identity
    flags, though this will prevent the injected pods from participating in mesh
    identity
  • Included kubectl version check as part of linkerd check (thanks @yb172!)
  • Updated linkerd check to ensure hint URLs are displayed for RPC checks
  • Fixed sporadic (and harmless) race condition error in linkerd check
  • Introduced a check for NET_ADMIN in linkerd check
  • Fixed permissions check for CRDs
  • Updated the linkerd dashboard command to serve the dashboard on a fixed
    port, allowing it to leverage browser local storage for user settings
  • Updated the linkerd routes command to display rows for routes that are not
    receiving any traffic
  • Added TCP stats to the stat command, under the -o wide and -o json flags
  • The stat command now always shows the number of open TCP connections
  • Removed TLS metrics from the stat command; this is in preparation for
    surfacing identity metrics in a clearer way
  • Exposed the install-cni command and its flags, and tweaked their descriptions
  • Eliminated false-positive vulnerability warnings related to go.uuid
• Controller
  • Added a new public API endpoint for fetching control plane configuration
  • Breaking change Removed support for running the control plane in
    single-namespace mode, which was severely limited in the number of features
    it supported due to not having access to cluster-wide resources; the end
    goal being Linkerd degrading gracefully depending on its privileges
  • Updated automatic proxy injection and CLI injection to support overriding
    inject defaults via pod spec annotations
  • Added support for the config.linkerd.io/proxy-version annotation on pod
    specs; this will override the injected proxy version
  • The auto-inject admission controller webhook is updated to watch pods
    creation and update events; with this change, proxy auto-injection now works
    for all kinds of workloads, including StatefulSets, DaemonSets, Jobs, etc
  • Service profile validation is now performed via a webhook endpoint; this
    prevents Kubernetes from accepting invalid service profiles
  • Changed the default CPU request from 10m to 100m for HA deployments;
    this will help some intermittent liveness/readiness probes from failing due
    to tight resource constraints
  • Updated destination service to return TLS identities only when the
    destination pod is TLS-aware and is in the same controller namespace
  • Lessen klog level to improve security
  • Updated control plane components to query Kubernetes at startup to determine
    authorized namespaces and if ServiceProfile support is available
  • Modified the stats payload to include the following TCP stats:
    tcp_open_connections, tcp_read_bytes_total, tcp_write_bytes_total
  • Instrumented clients in the control plane connecting to Kubernetes, thus
    providing better visibility for diagnosing potential problems with those
    connections
  • Renamed the "linkerd-proxy-api" service to "linkerd-destination"
  • Bumped Prometheus to version 2.7.1 and Grafana to version 5.4.3
• Proxy
  • Introduced per-proxy private key generation and dynamic certificate renewal
  • Fixed a connection starvation issue where TLS discovery detection on
    slow or idle connections could block all other connections from being
    accepted on the inbound listener of the proxy
  • Fixed a stream leak between the proxy and the control plane that could
    cause the linkerd-controller pod to use an excessive amount of memory
  • Added a readiness check endpoint on :4191/ready so that Kubernetes doesn't
    consider pods ready until they have acquired a certificate from the Identity
    controller
  • Some l5d-* informational headers have been temporarily removed from
    requests and responses because they could leak information to external
    clients
  • The proxy's connect timeouts have been updated, especially to improve
    reconnect behavior between the proxy and the control plane
  • Increased the inbound/router cap on MAX_CONCURRENT_STREAMS
  • The l5d-remote-ip header is now set on inbound requests and outbound
    responses
  • Fixed issue with proxy falling back to filesystem polling due to improperly
    sized inotify buffer
• Web UI
  • New Added a Community page to surface news and updates from linkerd.io
  • Added a Debug page to the web dashboard, allowing you to introspect service
    discovery state
  • The Overview page in the Linkerd dashboard now renders appropriately when
    viewed on mobile devices
  • Added filter functionality to the metrics tables
  • Added stable sorting for table rows
  • Added TCP stats to the Linkerd Pod Grafana dashboard
  • Added TCP stat tables on the namespace landing page and resource detail page
  • The topology graph now shows TCP stats if no HTTP stats are available
  • Improved table display on the resource detail page for resources with
    TCP-only traffic
  • Updated the resource detail page to start displaying a table with TCP stats
  • Modified the Grafana variable queries to use a TCP-based metric, so that
    if there is only TCP traffic then the dropdowns don't end up empty
  • Fixed sidebar not updating when resources were added/deleted (thanks
    @liquidslr!)
  • Added validation to the "new service profile" form (thanks @liquidslr!)
  • Added a Grafana dashboard and web tables for displaying Job stats
    (thanks, @Pothulapati!)
  • Removed TLS columns from the dashboard tables; this is in preparation for
    surfacing identity metrics in a clearer way
  • Fixed the behavior of the Top query 'Start' button if a user's query returns
    no data
  • Fixed an issue with the order of tables returned from a Top Routes query
  • Added text wrap for paths in the modal for expanded Tap query data
  • Fixed a quoting issue with service profile downloads (thanks, @liquidslr!)
  • Updated sorting of route table to move default routes to the bottom
  • Removed 'Help' hierarchy and surfaced links on navigation sidebar
  • Ensured that all the tooltips in Grafana displaying the series are shared
    across all the graphs
• Internals
  • Improved the `bin/go-...

This is an edge release of Linkerd! The latest stable release is stable-2.2.1.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

• Proxy
  • Fixed a connection starvation issue where TLS discovery detection on
    slow or idle connections could block all other connections from being
    accepted on the inbound listener of the proxy
• CLI
  • Fixed inject to allow the --disable-identity flag to be used
    without having to specify the --ignore-cluster flag
• Web UI
  • The Overview page in the Linkerd dashboard now renders appropriately when
    viewed on mobile devices

This is an edge release of Linkerd! The latest stable release is stable-2.2.1.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

• CLI
  • Fixed linkerd upgrade command not upgrading proxy containers (thanks
    @jon-walton for the issue report!)
  • Fixed linkerd upgrade command not installing the identity service when
    it was not already installed
  • Eliminate false-positive vulnerability warnings related to go.uuid

Special thanks to @KatherineMelnyk for updating the web component to read the
UUID from the linkerd-config ConfigMap!

This is an edge release of Linkerd! The latest stable release is stable-2.2.1.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

• CLI
  • Removed TLS metrics from the stat command; this is in preparation for
    surfacing identity metrics in a clearer way
  • The upgrade command now outputs a URL that explains next steps for
    upgrading
  • Breaking Change: The --linkerd-cni-enabled flag has been removed from
    the inject command; CNI is configured at the cluster level with the
    install command and no longer applies to the inject command
• Controller
  • Service profile validation is now performed via a webhook endpoint; this
    prevents Kubernetes from accepting invalid service profiles
  • Added support for the config.linkerd.io/proxy-version annotation on pod
    specs; this will override the injected proxy version
  • Changed the default CPU request from 10m to 100m for HA deployments;
    this will help some intermittent liveness/readiness probes from failing due
    to tight resource constraints
• Proxy
  • The CommonName field on CSRs is now set to the proxy's identity name
• Web UI
  • Removed TLS columns from the dashboard tables; this is in preparation for
    surfacing identity metrics in a clearer way

This is an edge release of Linkerd! The latest stable release is stable-2.2.1.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

• CLI
  • Introduced an upgrade command! This allows an existing Linkerd control plane to be reinstalled or reconfigured; it is particularly useful for automatically reusing flags set in the previous install or upgrade
  • The inject command proxy options are now converted into config annotations; the annotations ensure that these configs are persisted in subsequent resource updates
  • The stat command now always shows the number of open TCP connections
  • Breaking Change Removed the --disable-external-profiles flag from the install command; external profiles are now disabled by default and can be enabled with the new --enable-external-profiles flag
• Controller
  • The auto-inject admission controller webhook is updated to watch pods creation and update events; with this change, proxy auto-injection now works for all kinds of workloads, including StatefulSets, DaemonSets, Jobs, etc
• Proxy
  • Some l5d-* informational headers have been temporarily removed from requests and responses because they could leak information to external clients
• Web UI
  • The topology graph now shows TCP stats if no HTTP stats are available
  • The resource detail page no longer shows blank tables if the resource only has TCP traffic
  • Added validation to the "new service profile" form (thanks @liquidslr!)

This is an edge release of Linkerd! The latest stable release is stable-2.2.1.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

Significant Update

This edge release introduces a new TLS Identity system into the default Linkerd
installation, replacing tls=optional and the linkerd-ca controller. Now,
proxies generate ephemeral private keys into a tmpfs directory and dynamically
refresh certificates, authenticated by Kubernetes ServiceAccount tokens, via the
newly-introduced Identity controller.

Now, all meshed HTTP communication is private and authenticated by default.

• CLI
  • Changed install to accept or generate an issuer Secret for the Identity
    controller
  • Changed install to fail in the case of a conflict with an existing
    installation; this can be disabled with the --ignore-cluster flag
  • Changed inject to require fetching a configuration from the control plane;
    this can be disabled with the --ignore-cluster and --disable-identity
    flags, though this will prevent the injected pods from participating in mesh
    identity
  • Removed the --tls=optional flag from the linkerd install command, since
    TLS is now enabled by default
  • Added the ability to adjust the Prometheus log level
• Proxy
  • Fixed a stream leak between the proxy and the control plane that could
    cause the linkerd-controller pod to use an excessive amount of memory
  • Introduced per-proxy private key generation and dynamic certificate renewal
  • Added a readiness check endpoint on :4191/ready so that Kubernetes doesn't
    consider pods ready until they have acquired a certificate from the Identity
    controller
  • The proxy's connect timeouts have been updated, especially to improve
    reconnect behavior between the proxy and the control plane
• Web UI
  • Added TCP stats to the Linkerd Pod Grafana dashboard
  • Fixed the behavior of the Top query 'Start' button if a user's query returns
    no data
  • Added stable sorting for table rows
  • Fixed an issue with the order of tables returned from a Top Routes query
  • Added text wrap for paths in the modal for expanded Tap query data
• Internal
  • Improved the bin/go-run script for the build process so that on failure,
    all associated background processes are terminated

Special thanks to @liquidslr for many useful UI and log changes, and to @mmalone
and @sourishkrout at @smallstep for collaboration and advice on the Identity
system!