edge-25.8.1

Overall status: RECOMMENDED

Cautions

This release removes support for ARMv7, notably including 32-bit Raspberry Pi platforms. As far as we know, no one is actively using Linkerd on these platforms.

Changes

This release fixes an issue (#14289) where native-sidecar proxies would land in an error state after the main container exited. It also correctly sets app.kubernetes.io/version label to list linkerd/cli instead of linkerd/helm when installing a Linkerd extension using the CLI, and it removes support for ARMv7, notably including 32-bit Raspberry Pi platforms.

What's Changed

• build(deps): bump backon from 1.5.1 to 1.5.2 by @dependabot[bot] in #14301
• build(deps): bump rustls from 0.23.30 to 0.23.31 by @dependabot[bot] in #14296
• build(deps): bump the clap group with 2 updates by @dependabot[bot] in #14295
• build(deps): bump tj-actions/changed-files from db8d0bfea5a44e51abd5dc1454386c668ae901f9 to 18b05b98fcd9dc0bd3870d7a6571535999ba0c3f by @dependabot[bot] in #14302
• feat!(ci): Remove arm/v7 support by @sfleen in #14308
• build(deps): bump tj-actions/changed-files from 18b05b98fcd9dc0bd3870d7a6571535999ba0c3f to 94d97fe3f88298bf8b2f2db6fa2ab150f3c1ab77 by @dependabot[bot] in #14306
• build(deps): bump github.com/prometheus/client_golang from 1.22.0 to 1.23.0 by @dependabot[bot] in #14305
• build(deps): bump serde_json from 1.0.141 to 1.0.142 by @dependabot[bot] in #14304
• fix(proxy-identity): use execve call on Linux to start the proxy by @zaharidichev in #14307
• fix(helm): Fix cli version string in extensions by @adleong in #14309
• build(deps): bump linkerd-cni from 1.6.3 to 1.6.4 by @alpeb in #14310
• build(deps): bump network-validator from 0.1.3 to 0.1.4 by @alpeb in #14311

Full Changelog: edge-25.7.6...edge-25.8.1

edge-25.7.6

Overall status: NOT RECOMMENDED, use edge-25.8.1 instead

Cautions

N/A

Changes

This release supports percentages, as well as integers, when setting the maxUnavailable field in the podDisruptionBudget in Helm values (thanks, Wim de Groot!), cleans up the descriptions for some proxy metrics (thanks, @joedrf!), produces auditable binaries for the policy controller and proxy, and prefers AES algorithms over ChaCha20 for mTLS. It also correctly performs reproducible builds, fixing issue #13873.

What's Changed

• fix(values): make Controller values untyped by @wim-de-groot in #14205
• build(deps): bump tokio from 1.46.1 to 1.47.0 by @dependabot[bot] in #14285
• build(deps): bump rustls from 0.23.29 to 0.23.30 by @dependabot[bot] in #14283
• build(deps): bump rustc-demangle from 0.1.25 to 0.1.26 by @dependabot[bot] in #14282
• build(deps): bump dyn-clone from 1.0.19 to 1.0.20 by @dependabot[bot] in #14284
• build(deps): bump linkerd/dev to v47 by @olix0r in #14275
• build(deps): bump sigs.k8s.io/yaml from 1.5.0 to 1.6.0 by @dependabot[bot] in #14273
• build(deps): bump tj-actions/changed-files from a0370f61698fcac830a08949da9fdf96ea0f3ab7 to db8d0bfea5a44e51abd5dc1454386c668ae901f9 by @dependabot[bot] in #14287
• build(policy-controller): produce auditable binaries by @olix0r in #14290
• chore(proxy): update linkerd-await to v0.3.1 by @olix0r in #14291
• fix(policy): Include aws-lc-rs as optional policy controller crypto… by @sfleen in #14264
• chore(inject): make PatchProducer and ValueOverrider more generic by @zaharidichev in #14254
• build(deps): bump aws-lc-rs from 1.13.1 to 1.13.3 by @dependabot[bot] in #14294
• Revert "fix(policy): Include aws-lc-rs as optional policy controller crypto backend (#14264) by @sfleen in #14299
• proxy: v2.311.0 by @l5d-bot in #14297
• refactor(helm): Replace VFS with embed for Helm chart rendering by @adleong in #14272

Full Changelog: edge-25.7.5...edge-25.7.6

edge-25.7.5

Overall status: NOT RECOMMENDED, use edge-25.8.1 instead

Cautions

N/A

Changes

This release contains internal improvements, but no new capabilities over edge-25.7.4.

What's Changed

• chore(ci): enable overriding the runner in workflows by @olix0r in #14256
• build(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.0 by @dependabot[bot] in #14252
• build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7 by @dependabot[bot] in #14253
• build(deps): bump the kube group with 7 updates by @dependabot[bot] in #14251
• build(deps-dev): bump webpack from 5.99.9 to 5.100.2 in /web/app by @dependabot[bot] in #14258
• build(deps): bump rand from 0.9.1 to 0.9.2 by @dependabot[bot] in #14259
• build(deps): bump cc from 1.2.29 to 1.2.30 by @dependabot[bot] in #14260
• build(deps): bump serde_json from 1.0.140 to 1.0.141 by @dependabot[bot] in #14261
• build(deps): bump google-github-actions/auth from 2.1.10 to 2.1.11 by @dependabot[bot] in #14262
• build(deps): bump google-github-actions/setup-gcloud from 2.1.4 to 2.1.5 in /.github/actions/helm-publish by @dependabot[bot] in #14263
• proxy: v2.310.0 by @l5d-bot in #14270
• build(deps): bump google.golang.org/grpc from 1.74.0 to 1.74.2 by @dependabot[bot] in #14267
• build(deps): bump io-uring from 0.7.8 to 0.7.9 by @dependabot[bot] in #14269
• build(deps): bump tj-actions/changed-files from 055970845dd036d7345da7399b7e89f2e10f2b04 to a0370f61698fcac830a08949da9fdf96ea0f3ab7 by @dependabot[bot] in #14271
• build(deps): bump hyper-util from 0.1.15 to 0.1.16 by @dependabot[bot] in #14268

Full Changelog: edge-25.7.4...edge-25.7.5

edge-25.7.4

Overall status: NOT RECOMMENDED, use edge-25.8.1 instead

Cautions

N/A

Changes

This release contains a fix to reduce the proxy's memory usage when handling many HTTP/1 connections.

What's Changed

• test(destination): Replace sleeps with RetryFor in ClusterStoreTest by @adleong in #14250
• proxy: v2.309.0 by @l5d-bot in #14255

Full Changelog: edge-25.7.3...edge-25.7.4

edge-25.7.3

Overall status: NOT RECOMMENDED, use edge-25.8.1 instead

Cautions

N/A

Changes

This release reintroduces idle timeouts for HTTP/1 connections, and supports the AES_256_GCM cipher for mTLS. It also fixes an issue (#14228) where the Helm chart could fail to render when upgrading from a previous version.

What's Changed

• build(deps): bump rustls from 0.23.28 to 0.23.29 by @dependabot[bot] in #14230
• build(deps): bump golang.org/x/net from 0.41.0 to 0.42.0 by @dependabot[bot] in #14229
• chore(build): remove choco by @alpeb in #14234
• chore: remove empty lines from manifests by @alpeb in #14233
• refactor(helm): Replace VFS with embed for Helm chart rendering by @adleong in #14206
• build(deps): bump query-string from 9.2.1 to 9.2.2 in /web/app by @dependabot[bot] in #14236
• build(deps): bump core-js from 3.43.0 to 3.44.0 in /web/app by @dependabot[bot] in #14238
• build(deps-dev): bump babel-jest from 30.0.2 to 30.0.4 in /web/app by @dependabot[bot] in #14239
• build(deps-dev): bump @babel/preset-env from 7.27.2 to 7.28.0 in /web/app by @dependabot[bot] in #14240
• build(deps): bump tj-actions/changed-files from 5f66af5912c4f9c360c03a612f98606fb0f83790 to 055970845dd036d7345da7399b7e89f2e10f2b04 by @dependabot[bot] in #14243
• build(deps): bump delegate from 0.13.3 to 0.13.4 by @dependabot[bot] in #14245
• chore(deps): update rust kube dependencies by @olix0r in #14235
• build(deps): bump golang.org/x/tools from 0.34.0 to 0.35.0 by @dependabot[bot] in #14242
• fix(helm): Fix helm rendering error when upgrading by @adleong in #14244
• test(policy): update postman tests to expect 200 response code by @adleong in #14248
• proxy: v2.308.0 by @l5d-bot in #14247
• revert(helm): Replace VFS with embed for Helm chart rendering (#14206) by @adleong in #14246

Full Changelog: edge-25.7.2...edge-25.7.3

edge-25.7.2

Overall status: NOT RECOMMENDED, use edge-25.8.1 instead

Cautions

N/A

Changes

This release fixes an issue (#14176) where a Server resource with invalid selectors could prevent other Servers from being used.

What's Changed

• build(deps): bump h2 from 0.4.10 to 0.4.11 by @dependabot[bot] in #14196
• build(deps): bump openssl-src from 300.5.0+3.5.0 to 300.5.1+3.5.1 by @dependabot[bot] in #14198
• chore(docs): specify tagging instructions by @cratelyn in #14202
• build(deps): bump tokio from 1.45.1 to 1.46.0 by @dependabot[bot] in #14203
• build(deps): bump tj-actions/changed-files from 666c9d29007687c52e3c7aa2aac6c0ffcadeadc3 to e8772ff27de71367c2771ef3e8b5b2075b3f8282 by @dependabot[bot] in #14197
• build(deps): bump cc from 1.2.27 to 1.2.29 by @dependabot[bot] in #14215
• build(deps-dev): bump jest-environment-jsdom from 30.0.2 to 30.0.4 in /web/app by @dependabot[bot] in #14212
• build(deps): bump tokio from 1.46.0 to 1.46.1 by @dependabot[bot] in #14213
• build(deps-dev): bump @babel/eslint-parser from 7.27.5 to 7.28.0 in /web/app by @dependabot[bot] in #14211
• build(deps): bump tokio-metrics from 0.4.2 to 0.4.3 by @dependabot[bot] in #14207
• build(deps-dev): bump jest from 30.0.3 to 30.0.4 in /web/app by @dependabot[bot] in #14210
• build(deps): bump tj-actions/changed-files from e8772ff27de71367c2771ef3e8b5b2075b3f8282 to cf79a64fed8a943fb1073260883d08fe0dfb4e56 by @dependabot[bot] in #14216
• build(deps-dev): bump @babel/core from 7.27.7 to 7.28.0 in /web/app by @dependabot[bot] in #14209
• build(deps): bump hyper-util from 0.1.14 to 0.1.15 by @dependabot[bot] in #14219
• proxy: v2.307.0 by @l5d-bot in #14223
• build(deps): bump the clap group with 3 updates by @dependabot[bot] in #14224
• build(deps): bump tj-actions/changed-files from cf79a64fed8a943fb1073260883d08fe0dfb4e56 to 5f66af5912c4f9c360c03a612f98606fb0f83790 by @dependabot[bot] in #14225
• chore(build): bump linkerd/dev to v46 by @olix0r in #14226
• build(deps): bump the kube group with 7 updates by @dependabot[bot] in #13964
• build(deps): bump helm.sh/helm/v3 from 3.17.3 to 3.18.4 by @dependabot[bot] in #14222
• build(deps): bump cni-plugin to v1.6.3, proxy-init to v2.4.3, validator to v0.1.3 by @alpeb in #14221
• fix(destination): skip servers with invalid selectors by @adleong in #14195
• feature(inject): introduce PatchProducer abstraction by @zaharidichev in #14175

Full Changelog: edge-25.7.1...edge-25.7.2

edge-25.7.1

Overall status: NOT RECOMMENDED, use edge-25.8.1 instead

Cautions

This release will no longer permit connections to a Service IP using a port that is not listed in the Service's spec.ports, in order to fix #13922 and to make Linkerd's behavior align with current Kubernetes behavior.

Changes

This release will refuse connections made to a Service port that is not listed in the Service's spec.ports, as described above. It also removes duplicate metrics keys from the proxy, and removes preserveUnknownFields from the linkerd-crds Helm chart's ServiceProfile template (thanks, Carlos Martell!).

What's Changed

• build(deps-dev): bump @babel/core from 7.27.4 to 7.27.7 in /web/app by @dependabot in #14191
• build(deps-dev): bump eslint-plugin-import from 2.31.0 to 2.32.0 in /web/app by @dependabot in #14190
• build(deps): bump bumpalo from 3.18.1 to 3.19.0 by @dependabot in #14189
• build(deps): bump rustc-demangle from 0.1.24 to 0.1.25 by @dependabot in #14187
• fix(helm): Remove preserveUnknownFields from service profile template in linkerd-crds chart by @cmartell-at-m42 in #14179
• fix(policy-controller)!: Disallow requests to undefined service ports by @adleong in #14149
• proxy: v2.305.0 by @l5d-bot in #14199
• proxy: v2.306.0 by @l5d-bot in #14200
• chore(docs): fix proxy update instructions by @cratelyn in #14201

New Contributors

• @cmartell-at-m42 made their first contribution in #14179

Full Changelog: edge-25.6.4...edge-25.7.1

edge-25.6.4

Overall status: NOT RECOMMENDED, use edge-25.8.1 instead

Cautions

N/A

Changes

This release allows configuring OpenTelemetry tracing without installing the linkerd-jaeger extension, and fixes an issue where the caBundle field in the Helm chart was not being set correctly when using PEM-encoded CA certificates (thanks, Jonas Dittrich!). It also allows using a named pipe for SPIRE when running the proxy for Windows mesh expansion, and removes an unintentionally-added HTTP/1 header read timeout.

What's Changed

• chore(policy-controller): fix visibility clippy lint by @adleong in #14150
• fix(helm): Allow setting caBundle with caPEM and keyPEM by @Kakadus in #14109
• nit(charts): remove extra space in linkerd-cni description by @cratelyn in #14162
• build(deps): bump syn from 2.0.101 to 2.0.104 by @dependabot in #14169
• build(deps): bump tracing-attributes from 0.1.29 to 0.1.30 in the tracing group by @dependabot in #14151
• build(deps): bump slab from 0.4.9 to 0.4.10 by @dependabot in #14171
• proxy: v2.303.0 by @l5d-bot in #14174
• build(deps): bump cfg-if from 1.0.0 to 1.0.1 by @dependabot in #14173
• build(deps): bump autocfg from 1.4.0 to 1.5.0 by @dependabot in #14172
• build(deps): bump crazy-max/ghaction-chocolatey from 3.3.0 to 3.4.0 by @dependabot in #14170
• build(deps): bump github.com/prometheus/common from 0.64.0 to 0.65.0 by @dependabot in #14168
• build(deps-dev): bump babel-jest from 29.7.0 to 30.0.2 in /web/app by @dependabot in #14166
• build(deps): bump core-js from 3.42.0 to 3.43.0 in /web/app by @dependabot in #14163
• build(deps): bump tj-actions/changed-files from d52d20fa3f981cb852b861fd8f55308b5fe29637 to 666c9d29007687c52e3c7aa2aac6c0ffcadeadc3 by @dependabot in #14161
• build(deps): bump docker/setup-buildx-action from 3.11.0 to 3.11.1 in /.github/actions/docker-build by @dependabot in #14159
• build(deps): bump github.com/emicklei/proto from 1.14.1 to 1.14.2 by @dependabot in #14158
• build(deps): bump rustls from 0.23.27 to 0.23.28 by @dependabot in #14155
• build(deps): bump miniz_oxide from 0.8.8 to 0.8.9 by @dependabot in #14154
• build(deps): bump windows-link from 0.1.1 to 0.1.3 by @dependabot in #14152
• proxy: v2.304.0 by @l5d-bot in #14186
• feat(tracing): Add proxy tracing configuration to control plane helm chart by @sfleen in #13994
• build(deps-dev): bump jest-environment-jsdom from 30.0.0 to 30.0.2 in /web/app by @dependabot in #14164
• build(deps): bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0 by @dependabot in #14178
• build(deps): bump errno from 0.3.12 to 0.3.13 by @dependabot in #14181
• build(deps): bump memchr from 2.7.4 to 2.7.5 by @dependabot in #14182
• build(deps): bump libc from 0.2.173 to 0.2.174 by @dependabot in #14183
• build(deps): bump wasi from 0.11.0+wasi-snapshot-preview1 to 0.11.1+wasi-snapshot-preview1 by @dependabot in #14184
• build(deps): bump Swatinem/rust-cache from 2.7.8 to 2.8.0 by @dependabot in #14185
• build(deps-dev): bump jest from 30.0.0 to 30.0.2 in /web/app by @dependabot in #14165

New Contributors

• @Kakadus made their first contribution in #14109

Full Changelog: edge-25.6.3...edge-25.6.4

edge-25.6.3

Overall status: NOT RECOMMENDED, use edge-25.8.1 instead

Cautions

This release changes the histogram buckets for gRPC handling-time histograms. The new buckets better line up with the long-lived streams used in Linkerd’s controllers, but of course this is a potentially breaking change.

It also updates the port names used in many Linkerd deployments for uniqueness, since Kubernetes 1.33 warns when port names are not unique within containers in the same pod:

• In destination, grpc becomes dest-grpc and admin-http becomes dest-admin
• In sp-validator, admin-http becomes spval-admin
• In policy-controller, grpc becomes policy-grpc and admin-http becomes policy-admin
• In identity, grpc becomes ident-grpc and admin-http becomes ident-admin
• In proxy-injector, admin-http becomes injector-admin
• In linkerd2-cni, admin-http becomes repair-admin

Changes

This release changes the histogram buckets for gRPC handling-time histograms and updates many port names to avoid warnings in Kubernetes 1.33, as described above. It also fixes an issue (#14103) where inbound policy couldn't be applied to the metrics port when using native sidecars, and adds common gRPC server metrics to the policy controller.

What's Changed

• build(deps): bump softprops/action-gh-release from 2.2.2 to 2.3.2 by @dependabot in #14120
• chore(build): enable proxy-identity to work on Windows systems by @zaharidichev in #14126
• proxy: v2.301.0 by @l5d-bot in #14128
• chore(docs): remove outdated release instructions by @cratelyn in #14129
• build(deps): bump tj-actions/changed-files from c6634ca281a9fc05b03bee224ba00910cb78ab6e to 4140eb99d2cced9bfd78375c2088371853262f79 by @dependabot in #14118
• build(deps): bump hyper-rustls from 0.27.6 to 0.27.7 by @dependabot in #14117
• build(deps): bump smallvec from 1.15.0 to 1.15.1 by @dependabot in #14116
• build(deps): bump the tracing group with 2 updates by @dependabot in #14115
• build(deps-dev): bump @babel/eslint-parser from 7.27.1 to 7.27.5 in /web/app by @dependabot in #14114
• build(deps-dev): bump webpack-dev-server from 5.2.1 to 5.2.2 in /web/app by @dependabot in #14113
• build(deps-dev): bump @babel/runtime from 7.27.4 to 7.27.6 in /web/app by @dependabot in #14112
• build(deps): bump bumpalo from 3.17.0 to 3.18.1 by @dependabot in #14108
• build(deps): bump golang.org/x/net from 0.40.0 to 0.41.0 by @dependabot in #14106
• build(deps): bump cc from 1.2.25 to 1.2.26 by @dependabot in #14107
• build(deps): bump golang.org/x/tools from 0.33.0 to 0.34.0 by @dependabot in #14105
• build(deps): bump google.golang.org/grpc from 1.72.2 to 1.73.0 by @dependabot in #14104
• refactor(charts)!: disambiguate container port names for Kubernetes 1.33 by @olix0r in #14111
• chore(controller)!: tune grpc handling time histogram buckets by @olix0r in #14130
• feat(policy-controller): add grpc server metrics by @olix0r in #14122
• build(deps): bump docker/setup-buildx-action from 3.10.0 to 3.11.0 in /.github/actions/docker-build by @dependabot in #14146
• fix(test): fix policy-test e2e_appprotocol by @alpeb in #14148
• build(deps-dev): bump jest-environment-jsdom from 29.7.0 to 30.0.0 in /web/app by @dependabot in #14132
• build(deps): bump query-string from 9.2.0 to 9.2.1 in /web/app by @dependabot in #14133
• build(deps): bump thread_local from 1.1.8 to 1.1.9 by @dependabot in #14142
• build(deps): bump libc from 0.2.172 to 0.2.173 by @dependabot in #14141
• build(deps): bump adler2 from 2.0.0 to 2.0.1 by @dependabot in #14140
• fix(policy-controller): properly index named ports in native sidecar containers by @alpeb in #14144
• build(deps): bump pest_derive from 2.8.0 to 2.8.1 by @dependabot in #14139
• build(deps-dev): bump sinon from 20.0.0 to 21.0.0 in /web/app by @dependabot in #14136
• build(deps-dev): bump jest from 29.7.0 to 30.0.0 in /web/app by @dependabot in #14134
• build(deps): bump the clap group with 4 updates by @dependabot in #14138
• build(deps): bump tj-actions/changed-files from 4140eb99d2cced9bfd78375c2088371853262f79 to d52d20fa3f981cb852b861fd8f55308b5fe29637 by @dependabot in #14143
• build(deps): bump github.com/sergi/go-diff from 1.3.1 to 1.4.0 by @dependabot in #14137
• proxy: v2.302.0 by @l5d-bot in #14156
• fix(ci): Don't update website in releases before pushing helm charts by @sfleen in #14157

Full Changelog: edge-25.6.2...edge-25.6.3

edge-25.6.2

Overall status: NOT RECOMMENDED, use edge-25.7.4 instead

Cautions

N/A

Changes

This release contains internal improvements, but no new capabilities over edge-25.6.1.

What's Changed

• build(deps): bump anstyle from 1.0.10 to 1.0.11 by @dependabot in #14102
• build(deps): bump hyper-util from 0.1.13 to 0.1.14 by @dependabot in #14101
• build(deps): bump headers from 0.4.0 to 0.4.1 by @dependabot in #14098
• build(deps): bump tower-http from 0.6.4 to 0.6.6 by @dependabot in #14097
• feat(helm): grant linkerd-config read access to additional SAs by @alpeb in #14092
• Steering committee membership change by @wmorgan in #14087
• fix(policy-test): update expected response codes by @olix0r in #14124

Full Changelog: edge-25.6.1...edge-25.6.2