edge-19.3.3

This is an edge release of Linkerd! The latest stable release is stable-2.2.1.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

Significant Update

This edge release introduces a new TLS Identity system into the default Linkerd
installation, replacing tls=optional and the linkerd-ca controller. Now,
proxies generate ephemeral private keys into a tmpfs directory and dynamically
refresh certificates, authenticated by Kubernetes ServiceAccount tokens, via the
newly-introduced Identity controller.

Now, all meshed HTTP communication is private and authenticated by default.

• CLI
  • Changed install to accept or generate an issuer Secret for the Identity
    controller
  • Changed install to fail in the case of a conflict with an existing
    installation; this can be disabled with the --ignore-cluster flag
  • Changed inject to require fetching a configuration from the control plane;
    this can be disabled with the --ignore-cluster and --disable-identity
    flags, though this will prevent the injected pods from participating in mesh
    identity
  • Removed the --tls=optional flag from the linkerd install command, since
    TLS is now enabled by default
  • Added the ability to adjust the Prometheus log level
• Proxy
  • Fixed a stream leak between the proxy and the control plane that could
    cause the linkerd-controller pod to use an excessive amount of memory
  • Introduced per-proxy private key generation and dynamic certificate renewal
  • Added a readiness check endpoint on :4191/ready so that Kubernetes doesn't
    consider pods ready until they have acquired a certificate from the Identity
    controller
  • The proxy's connect timeouts have been updated, especially to improve
    reconnect behavior between the proxy and the control plane
• Web UI
  • Added TCP stats to the Linkerd Pod Grafana dashboard
  • Fixed the behavior of the Top query 'Start' button if a user's query returns
    no data
  • Added stable sorting for table rows
  • Fixed an issue with the order of tables returned from a Top Routes query
  • Added text wrap for paths in the modal for expanded Tap query data
• Internal
  • Improved the bin/go-run script for the build process so that on failure,
    all associated background processes are terminated

Special thanks to @liquidslr for many useful UI and log changes, and to @mmalone
and @sourishkrout at @smallstep for collaboration and advice on the Identity
system!

edge-19.3.2

This is an edge release of Linkerd! The latest stable release is stable-2.2.1.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

• Controller
  • Breaking change Removed support for running the control plane in
    single-namespace mode, which was severely limited in the number of features
    it supported due to not having access to cluster-wide resources
  • Updated automatic proxy injection and CLI injection to support overriding
    inject defaults via pod spec annotations
  • Added a new public API endpoint for fetching control plane configuration
• CLI
  • Breaking change Removed the --api-port flag from the inject and
    install commands, since there's no benefit to running the control plane's
    destination API on a non-default port (thanks, @paranoidaditya)
  • Introduced the linkerd metrics command for fetching proxy metrics
  • Updated the linkerd routes command to display rows for routes that are not
    receiving any traffic
  • Updated the linkerd dashboard command to serve the dashboard on a fixed
    port, allowing it to leverage browser local storage for user settings
• Web UI
  • New Added a Community page to surface news and updates from linkerd.io
  • Fixed a quoting issue with service profile downloads (thanks, @liquidslr!)
  • Added a Grafana dashboard and web tables for displaying Job stats
    (thanks, @Pothulapati!)
  • Updated sorting of route table to move default routes to the bottom
  • Added TCP stat tables on the namespace landing page and resource detail page

edge-19.3.1

This is an edge release of Linkerd! The latest stable release is stable-2.2.1.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

• CLI
  • Introduced a check for NET_ADMIN in linkerd check
  • Fixed permissions check for CRDs
  • Included kubectl version check as part of linkerd check (thanks @yb172!)
  • Added TCP stats to the stat command, under the -o wide and -o json flags
• Controller
  • Updated the mutatingwebhookconfiguration so that it is recreated when the
    proxy injector is restarted, so that the MWC always picks up the latest
    config template during version upgrade
• Proxy
  • Increased the inbound/router cap on MAX_CONCURRENT_STREAMS
  • The l5d-remote-ip header is now set on inbound requests and outbound
    responses
• Web UI
  • Fixed sidebar not updating when resources were added/deleted (thanks
    @liquidslr!)
  • Added filter functionality to the metrics tables
• Internal
  • Added more log errors to the integration tests
  • Removed the GOPATH dependence from the CLI dev environment
  • Consolidated injection code from CLI and admission controller code paths

edge-19.2.5

This is an edge release of Linkerd! The latest stable release is stable-2.2.1.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

• CLI
  • Updated linkerd check to ensure hint URLs are displayed for RPC checks
• Controller
  • Updated the auto-inject admission controller webhook to respond to UPDATE
    events for deployment workloads
  • Updated destination service to return TLS identities only when the
    destination pod is TLS-aware and is in the same controller namespace
  • Lessen klog level to improve security
  • Updated control-plane components to query Kubernetes at startup to determine
    authorized namespaces and if ServiceProfile support is available
  • Modified the stats payload to include the following TCP stats:
    tcp_open_connections, tcp_read_bytes_total, tcp_write_bytes_total
• Proxy
  • Fixed issue with proxy falling back to filesystem polling due to improperly
    sized inotify buffer
• Web UI
  • Removed 'Help' hierarchy and surfaced links on navigation sidebar
  • Added a Debug page to the web dashboard, allowing you to introspect service discovery state
  • Updated the resource detail page to start displaying a table with TCP stats
• Internal
  • Enabled the following linters: unparam, unconvert, goimports,
    goconst, scopelint, unused, gosimple
  • Bumped base Docker images

stable-2.2.1

This stable release polishes some of the CLI help text and fixes two issues that
came up since the stable-2.2.0 release. If you're upgrading from stable-2.1.0 or
earlier, be sure to check out the Upgrade Guide.

To install this release, run: curl https://run.linkerd.io/install | sh

Full release notes:

• CLI
  • Fixed handling of kubeconfig server urls that include paths
  • Updated the description of the --proxy-auto-inject flag to indicate that
    it is no longer experimental
  • Updated the profile help text to match the other commands
  • Added the "ep" alias for the endpoints command
• Controller
  • Stopped logging an error when a route doesn't specify a timeout

edge-19.2.4

This is an edge release of Linkerd! The latest stable release is stable-2.2.0.

To install this edge release, run:
curl https://run.linkerd.io/install-edge | sh

• CLI
  • Implemented --proxy-cpu-limit and --proxy-memory-limit for setting the
    proxy resources limits (--proxy-cpu and --proxy-memory were deprecated in
    favor of proxy-cpu-request and proxy-memory-request) (thanks @TwinProduction!)
  • Updated the inject and uninject subcommands to issue warnings when
    resources lack a Kind property (thanks @Pothulapati!)
  • Unhid the install-cni command and its flags, and tweaked their descriptions
  • Fixed handling of kubeconfig server urls that include paths
  • Updated the description of the --proxy-auto-inject flag to indicate that
    it is no longer experimental
  • Updated the profile help text to match the other commands
  • Added the "ep" alias for the endpoints command (also @Pothulapati!)
  • Added a validator for the --proxy-log-level flag
  • Fixed sporadic (and harmless) race condition error in linkerd check
• Controller
  • Instrumented clients in the control plane connecting to Kubernetes, thus
    providing better visibility for diagnosing potential problems with those
    connections
  • Stopped logging an error when a route doesn't specify a timeout
  • Renamed the "linkerd-proxy-api" service to "linkerd-destination"
  • Bumped Prometheus to version 2.7.1 and Grafana to version 5.4.3
• Web UI
  • Modified the Grafana variable queries to use a TCP-based metric, so that
    if there is only TCP traffic then the dropdowns don't end up empty
  • Ensured that all the tooltips in Grafana displaying the series are shared
    across all the graphs
• Internals
  • Added the flags -update and -pretty-diff to tests to allow overwriting
    fixtures and to print the full text of the fixtures upon mismatches
  • Introduced golangci-lint tooling, using .golangci.yml to centralize
    the config
  • Added a -cover parameter to track code coverage in go tests
    (more info in TEST.md)
  • Added integration tests for single-namespace
  • Renamed a function in a test that was shadowing a go built-in function
    (thanks @huynq0911!)

stable-2.2.0

Announcing Linkerd 2.2 🎈

This stable release introduces automatic request retries and timeouts, and graduates auto-inject to be a fully-supported (non-experimental) feature. It adds several new CLI commands, including logs and endpoints, that provide diagnostic visibility into Linkerd's control plane. Finally, it introduces two exciting experimental features: a cryptographically-secured client identity header, and a CNI plugin that avoids the need for NET_ADMIN kernel capabilities at deploy time.

For more details, see the announcement blog post:
https://blog.linkerd.io/2019/02/12/announcing-linkerd-2-2/

To install this release, run: curl https://run.linkerd.io/install | sh

Upgrade notes: The default behavior for proxy auto injection and service profile ownership has changed as part of this release. Please see the upgrade instructions for more details.

Special thanks to: @alenkacz, @codeman9, @jonrichards, @radu-matei, @yeya24, and @zknill

Full release notes:

• CLI
  • Improved service profile validation when running linkerd check in order to
    validate service profiles in all namespaces
  • Added the linkerd endpoints command to introspect Linkerd's service
    discovery state
  • Added the --tap flag to linkerd profile to generate service profiles
    using the route results seen during the tap
  • Added support for the linkerd.io/inject: disabled annotation on pod specs
    to disable injection for specific pods when running linkerd inject
  • Added support for basePath in OpenAPI 2.0 files when running linkerd profile --open-api
  • Increased linkerd check client timeout from 5 seconds to 30 seconds to fix
    issues for clusters with slow API servers
  • Updated linkerd routes to no longer return rows for ExternalName
    services in the namespace
  • Broadened the set of valid URLs when connecting to the Kubernetes API
  • Added the --proto flag to linkerd profile to output a service profile
    based on a Protobuf spec file
  • Fixed CLI connection failures to clusters that use self-signed certificates
  • Simplified linkerd install so that setting up proxy auto-injection
    (flag --proxy-auto-inject) no longer requires enabling TLS (flag --tls)
  • Added links for each linkerd check failure, pointing to a relevant section
    in our new FAQ page with resolution steps for each case
  • Added optional linkerd install-sp command to generate service profiles for
    the control plane, providing per-route metrics for control plane components
  • Removed --proxy-bind-timeout flag from linkerd install and
    linkerd inject, as the proxy no longer accepts this environment variable
  • Improved CLI appearance on Windows systems
  • Improved linkerd check output, fixed bug with --single-namespace
  • Fixed panic when linkerd routes is called in single-namespace mode
  • Added linkerd logs command to surface logs from any container in the
    Linkerd control plane
  • Added linkerd uninject command to remove the Linkerd proxy from a
    Kubernetes config
  • Improved linkerd inject to re-inject a resource that already has a Linkerd
    proxy
  • Improved linkerd routes to list all routes, including those without
    traffic
  • Improved readability in linkerd check and linkerd inject outputs
  • Adjusted the set of checks that are run before executing CLI commands, which
    allows the CLI to be invoked even when the control plane is not fully ready
  • Fixed reporting of injected resources when the linkerd inject command is
    run on List type resources with multiple items
  • Updated the linkerd dashboard command to use port-forwarding instead of
    proxying when connecting to the web UI and Grafana
  • Added validation for the ServiceProfile CRD
  • Updated the linkerd check command to disallow setting both the --pre and
    --proxy flags simultaneously
  • Added --routes flag to the linkerd top command, for grouping table rows
    by route instead of by path
  • Updated Prometheus configuration to automatically load *_rules.yml files
  • Removed TLS column from the linkerd routes command output
  • Updated linkerd install output to use non-default service accounts,
    emptyDir volume mounts, and non-root users
  • Removed cluster-wide resources from single-namespace installs
  • Fixed resource requests for proxy-injector container in --ha installs
• Controller
  • Fixed issue with auto-injector not setting the proxy ID, which is required
    to successfully locate client service profiles
  • Added full stat and tap support for DaemonSets and StatefulSets in the CLI,
    Grafana, and web UI
  • Updated auto-injector to use the proxy log level configured at install time
  • Fixed issue with auto-injector including TLS settings in injected pods even
    when TLS was not enabled
  • Changed automatic proxy injection to be opt-in via the linkerd.io/inject
    annotation on the pod or namespace
  • Move service profile definitions to client and server namespaces, rather
    than the control plane namespace
  • Added linkerd.io/created-by annotation to the linkerd-cni DaemonSet
  • Added a 10 second keepalive default to resolve dropped connections in Azure
    environments
  • Improved node selection for installing the linkerd-cni DaemonSet
  • Corrected the expected controller identity when configuring pods with TLS
  • Modified klog to be verbose when controller log-level is set to debug
  • Added support for retries and timeouts, configured directly in the service
    profile for each route
  • Added an experimental CNI plugin to avoid requiring the NET_ADMIN capability
    when injecting proxies
  • Improved the API for ListPods
  • Fixed GetProfiles API call not returning immediately when no profile
    exists (resulting in proxies logging warnings)
  • Blocked controller initialization until caches have synced with kube API
  • Fixed proxy-api handling of named target ports in service configs
  • Added parameter to stats API to skip retrieving prometheus stats
• Web UI
  • Updated navigation to link the Linkerd logo back to the Overview page
  • Fixed console warnings on the Top page
  • Grayed-out the tap icon for requests from sources that are not meshed
  • Improved resource detail pages to show all resource types
  • Fixed stats not appearing for routes that have service profiles installed
  • Added "meshed" and "no traffic" badges on the resource detail pages
  • Fixed linkerd dashboard to maintain proxy connection when browser open fails
  • Fixed JavaScript bundling to avoid serving old versions after upgrade
  • Reduced the size of the webpack JavaScript bundle by nearly 50%
  • Fixed an indexing error on the top results page
  • Restored unmeshed resources in the network graph on the resource detail page
  • Adjusted label for unknown routes in route tables, added tooltip
  • Updated Top Routes page to persist form settings in URL
  • Added button to create new service profiles on Top Routes page
  • Fixed CLI commands displayed when linkerd is running in non-default
    namespace
• Proxy
  • Modified the way in which canonicalization warnings are logged to reduce the
    overall volume of error logs and make it clearer when failures occur
  • Added TCP keepalive configuration to fix environments where peers may
    silently drop connections
  • Updated the Get and GetProfiles APIs to accept a proxy_id parameter in
    order to return more tailored results
  • Removed TLS fallback-to-plaintext if handshake fails
  • Added the ability to override a proxy's normal outbound routing by adding an
    l5d-override-dst header
  • Added LINKERD2_PROXY_DNS_CANONICALIZE_TIMEOUT environment variable to
    customize the timeout for DNS queries to canonicalize a name
  • Added support for route timeouts in service profiles
  • Improved logging for gRPC errors and for malformed HTTP/2 request headers
  • Improved log readability by moving some noisy log messages to more verbose
    log levels
  • Fixed a deadlock in HTTP/2 stream reference counts
  • Updated the proxy-init container to exit with a non-zero exit code if
    initialization fails, making initialization errors much more visible
  • Fixed a memory leak due to leaked UDP sockets for failed DNS queries
  • Improved configuration of the PeakEwma load balancer
  • Improved handling of ports configured to skip protocol detection when the
    proxy is running with TLS enabled

edge-19.2.3

This is an edge release of Linkerd! The latest stable release is stable-2.1.0.

To install this edge release, run:
curl https://run.linkerd.io/install-edge | sh

• Controller
  • Fixed issue with auto-injector not setting the proxy ID, which is required
    to successfully locate client service profiles
• Web UI
  • Updated navigation to link the Linkerd logo back to the Overview page
  • Fixed console warnings on the Top page

edge-19.2.2

This is an edge release of Linkerd! The latest stable release is stable-2.1.0.

To install this edge release, run:
curl https://run.linkerd.io/install-edge | sh

• CLI
  • Improved service profile validation when running linkerd check in order to
    validate service profiles in all namespaces
• Controller
  • Added stat and tap support for StatefulSets in the CLI, Grafana, and web UI
  • Updated auto-injector to use the proxy log level configured at install time
  • Fixed issue with auto-injector including TLS settings in injected pods even
    when TLS was not enabled
• Proxy
  • Modified the way in which canonicalization warnings are logged to reduce the
    overall volume of error logs and make it clearer when failures occur

edge-19.2.1

This is an edge release of Linkerd! The latest stable release is stable-2.1.0.

To install this edge release, run:
curl https://run.linkerd.io/install-edge | sh

• Controller
  • Breaking change Changed automatic proxy injection to be opt-in via the
    linkerd.io/inject annotation on the pod or namespace. More info:
    https://linkerd.io/2/proxy-injection/
  • Breaking change ServiceProfiles are now defined in client and server
    namespaces, rather than the control plane namespace. ServiceProfiles
    defined in the client namespace take priority over ones defined in the
    server namespace
  • Added linkerd.io/created-by annotation to the linkerd-cni DaemonSet
    (thanks @codeman9!)
  • Added a 10 second keepalive default to resolve dropped connections in Azure
    environments
  • Improved node selection for installing the linkerd-cni DaemonSet (thanks
    @codeman9!)
  • Corrected the expected controller identity when configuring pods with TLS
  • Modified klog to be verbose when controller log-level is set to Debug
• CLI
  • Added the linkerd endpoints command to introspect Linkerd's service
    discovery state
  • Added the --tap flag to linkerd profile to generate a ServiceProfile
    by using the route results seen during the tap
  • Added support for the linkerd.io/inject: disabled annotation on pod specs
    to disable injection for specific pods when running linkerd inject
  • Added support for basePath in OpenAPI 2.0 files when running linkerd profile --open-api
  • Increased linkerd check client timeout from 5 seconds to 30 seconds to fix
    issues for clusters with a slower API server
  • linkerd routes will no longer return rows for ExternalName services in
    the namespace
  • Broadened set of valid URLs when connecting to the Kubernetes API
  • Improved ServiceProfile field validation in linkerd check
• Proxy
  • Added TCP keepalive configuration to fix environments where peers may
    silently drop connections
  • The Get and GetProfiles API now accept a proxy_id parameter in order
    to return more tailored results
  • Removed TLS fallback-to-plaintext if handshake fails