Skip to content

Releases: linkerd/linkerd2

edge-25.3.4

27 Mar 23:32
@github-actions github-actions
edge-25.3.4
7c160b5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
edge-25.3.4

NOT RECOMMENDED

Overall status: NOT RECOMMENDED, use edge-25.7.4 instead

Cautions

This release includes one breaking change: Linkerd now requires the Gateway API CRDs, so you must either install them before installing Linkerd, or you must explicitly set installGatewayAPI=true when installing Linkerd -- but a CLI bug in this release prevents the CLI from installing the Gateway API CRDs for you. While edge-25.4.1 fixes the CLI bug, we recommend edge-25.7.4 instead for other bugfixes.

Changes

Starting with this release, you must have the Gateway API CRDs on the cluster before installing Linkerd. If you are upgrading from an earlier version of Linkerd, you should not need to take any action. If you're installing Linkerd for the first time, you'll need to either set installGatewayAPI true when installing Linkerd, or install the Gateway API CRDs manually.

This release restores correct IPv6 support and restores Role permissions for the multicluster mirror controller, and continues multicluster improvements by introducing the new linkerd multicluster link-gen command (which deprecates link and unlink), as well as adding a CLI check to warn of any older mirror controllers that haven't yet been replaced. It supports setting proxy.metrics.hostnameLabels true when installing Linkerd to include hostname labels in outbound metrics, supports excluding labels and annotations from federated and mirrored services, fixes a bug that could result in stale Service resources when mirroring services, fixes support for ExternalWorkloads that don't explicitly declare the Linkerd proxy port (4143) in their manifests, and mitigates a thundering herd effect where proxies could unnecessarily load the DNS server. Finally, linkerd viz tap no longer relies on the obsolete authority pseudo-resource (thanks, Stephen Muth!).

What's Changed

  • build(deps): bump tj-actions/changed-files from 0b975f61488402a699abcebd6a1e25924cf85218 to 6482371e862961013f9584015cf362c4f664b20c by @dependabot in #13837
  • chore(deps): remove unused k8s-gateway-api dependency by @olix0r in #13844
  • build(deps): bump kubert from 0.23 to 0.24 by @olix0r in #13843
  • chore(dependabot): group kubert updates by @olix0r in #13842
  • build(deps): bump actions/download-artifact from 4.2.0 to 4.2.1 by @dependabot in #13839
  • build(deps): bump Swatinem/rust-cache from 2.7.7 to 2.7.8 by @dependabot in #13838
  • build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @dependabot in #13836
  • fix(dest): fallback to default proxy inbound port when one could not … by @zaharidichev in #13840
  • proxy: v2.288.0 by @l5d-bot in #13847
  • build(deps-dev): bump sinon from 19.0.2 to 19.0.4 in /web/app by @dependabot in #13846
  • build(deps): bump linkerd-extension-init from 0.1.2 to 0.1.3 by @alpeb in #13833
  • refactor(multicluster): revert Link permissions back to Role by @alpeb in #13848
  • Remove deprecated 'authority' references from tap form by @smuth4 in #13850
  • build(deps): bump tj-actions/changed-files from 6482371e862961013f9584015cf362c4f664b20c to 27ae6b33eaed7bf87272fdeb9f1c54f9facc9d99 by @dependabot in #13854
  • build(deps): bump iana-time-zone from 0.1.61 to 0.1.62 by @dependabot in #13857
  • feat(policy): Configure outbound hostname labels in metrics by @sfleen in #13822
  • build(deps): bump google.golang.org/protobuf from 1.36.5 to 1.36.6 by @dependabot in #13855
  • build(deps): bump log from 0.4.26 to 0.4.27 by @dependabot in #13856
  • build(deps): bump cc from 1.2.16 to 1.2.17 by @dependabot in #13853
  • feat(multicluster): add CLI check for legacy service mirror controllers by @alpeb in #13859
  • build(deps): bump rustls-webpki from 0.103.0 to 0.103.1 by @dependabot in #13863
  • build(deps): bump pest from 2.7.15 to 2.8.0 by @dependabot in #13862
  • build(deps): bump delegate from 0.13.2 to 0.13.3 by @dependabot in #13861
  • build(deps): bump pest_derive from 2.7.15 to 2.8.0 by @dependabot in #13860
  • proxy: v2.289.0 by @l5d-bot in #13864
  • feat(mutlicluster): Add support for excluding labels and annotations from federated and mirror services by @adleong in #13802
  • feat(multicluster): add link-gen command, deprecate link and unlink commands by @alpeb in #13858
  • feat(CLI): Add errors for invalid Gateway API CRD states by @adleong in #13834
  • fix(multicluster): fix stale service resources during event requeue by @adleong in #13849
  • build(deps): bump the clap group with 2 updates by @dependabot in #13866
  • Bump Prometheus to v2.55.1 by @siggy in #13867

New Contributors

Full Changelog: edge-25.3.3...edge-25.3.4

Contributors

siggy, olix0r, and 7 other contributors
Loading

edge-25.3.3

20 Mar 11:38
@github-actions github-actions
edge-25.3.3
049bc0c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
edge-25.3.3

NOT RECOMMENDED

Overall status: NOT RECOMMENDED, use edge-25.7.4 instead

Cautions

This release unintentionally switched the multicluster mirror controller to use ClusterRole permissions rather than Role permissions. While edge-25.4.1 correctly switches back to Role and correctly supports IPv6, we recommend edge-25.7.4 instead for other bugfixes.

Additionally, this release introduces several changes to make Linkerd multicluster more GitOps-friendly, and federated Services will now keep their metadata in sync with the member with the oldest Link. To make use of this new functionality you must upgrade your Link resources by following the instructions in the upgrading multicluster page.

Changes

This edge release integrates the service-mirroring controllers into the Linkerd multicluster extension, allowing better GitOps management of the new Link v1alpha3 CRs and credential Secrets. Additionally, when using federated Services, the metadata of the federated Service will be kept in sync with the Service with the oldest Link, the proxy.cores Helm chart value has been replaced with a more flexible proxy.runtime.workers structure, it's now possible to set an environment variable to reenable outbound hostname metrics, and - last but not least! - we will correctly honor custom debug container annotations (thanks, Vishal Tewatia!)

What's Changed

  • build(deps): bump tokio from 1.43.0 to 1.44.1 by @dependabot in #13793
  • build(deps): bump tokio-util from 0.7.13 to 0.7.14 by @dependabot in #13797
  • build(deps): bump tj-actions/changed-files from 45.0.7 to 45.0.8 by @dependabot in #13798
  • build(deps): bump once_cell from 1.21.0 to 1.21.1 by @dependabot in #13796
  • build(deps): bump itoa from 1.0.14 to 1.0.15 by @dependabot in #13794
  • build(deps): bump helm.sh/helm/v3 from 3.17.1 to 3.17.2 by @dependabot in #13792
  • build(deps): bump github.com/prometheus/common from 0.62.0 to 0.63.0 by @dependabot in #13791
  • feat(multicluster): have linkerd-multicluster chart be responsible for service mirror controllers by @alpeb in #13770
  • feat(multicluster): have linkerd-multicluster chart be responsible for service mirror controllers - probes by @alpeb in #13781
  • build(deps): bump extractions/setup-just from 2.0.0 to 3.0.0 by @dependabot in #13812
  • feat(multicluster): have linkerd-multicluster chart be responsible for service mirror controllers - CLI by @alpeb in #13782
  • feat(multicluster): have linkerd-multicluster chart be responsible for service mirror controllers - tests by @alpeb in #13800
  • build(deps): bump rustversion from 1.0.19 to 1.0.20 by @dependabot in #13807
  • build(deps): bump hyper-http-proxy from 1.0.0 to 1.1.0 by @dependabot in #13808
  • build(deps): bump foldhash from 0.1.4 to 0.1.5 by @dependabot in #13809
  • build(deps): bump dtoa from 1.0.9 to 1.0.10 by @dependabot in #13810
  • build(deps): bump libc from 0.2.170 to 0.2.171 by @dependabot in #13811
  • feat(inject): replace proxy.cores with proxy.runtime.workers by @olix0r in #13767
  • build(deps-dev): bump @babel/core from 7.26.8 to 7.26.10 in /web/app by @dependabot in #13804
  • build(deps): bump @babel/eslint-plugin from 7.25.9 to 7.26.10 in /web/app by @dependabot in #13806
  • build(deps-dev): bump @babel/eslint-parser from 7.26.8 to 7.26.10 in /web/app by @dependabot in #13805
  • feat!(multicluster): Federated services take metadata from member with the oldest Link by @adleong in #13783
  • build(deps): bump async-trait from 0.1.86 to 0.1.88 by @dependabot in #13819
  • build(deps): bump http-body-util from 0.1.2 to 0.1.3 by @dependabot in #13818
  • build(deps): bump rustls from 0.23.23 to 0.23.25 by @dependabot in #13817
  • fix(multicluster): correct Helm manifest whitespacing by @alpeb in #13815
  • fix(injector): use annotated values for debug container by @vishu42 in #13778
  • fix(test): add missing env var to debug annotation test by @alpeb in #13825
  • fix(multicluster): move controller's permissions from Role to ClusterRole by @alpeb in #13823
  • build(proxy): update fetch-proxy to use the new release assets by @olix0r in #13824
  • build(deps): bump tj-actions/changed-files from 9200e69727eb73eb060652b19946b8a2fdfb654b to 0b975f61488402a699abcebd6a1e25924cf85218 by @dependabot in #13820
  • build(deps): bump github.com/containerd/containerd from 1.7.24 to 1.7.27 by @dependabot in #13816
  • chore(multicluster): descriptive name for the test-multicluster integration tests by @alpeb in #13826
  • build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by @dependabot in #13831
  • build(deps): bump actions/download-artifact from 4.1.9 to 4.2.0 by @dependabot in #13830
  • build(deps): bump windows-link from 0.1.0 to 0.1.1 by @dependabot in #13828
  • build(proxy): use correct naming convention for proxy artifact in fetch-proxy by @zaharidichev in #13832
  • proxy: v2.287.0 by @l5d-bot in #13829
  • chore(helm): eliminate stray whitespace by @olix0r in #13827
  • feat(multicluster): Add Link v1alpha3 by @adleong in #13801

New Contributors

Full Changelog: edge-25.3.2...edge-25.3.3

Contributors

olix0r, alpeb, and 5 other contributors
Loading

edge-25.3.2

14 Mar 00:00
@github-actions github-actions
edge-25.3.2
d3ae51c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
edge-25.3.2

NOT RECOMMENDED

Overall status: NOT RECOMMENDED, use edge-25.7.4 instead

Cautions

This release includes a change to protocol detection: if the client closes the connection without writing any data, the proxy doing protocol detection will treat it as a read failure, which a client making unusual use of half-open connections might see as a behavioral change. If you have such a client, you may need to mark the connection as opaque.

Additionally, this release changes the default for outbound-transport-mode to transport-header, which will result in all traffic between meshed proxies flowing on port 4143, rather than using the original destination port. It also does not correctly support IPv6. While edge-25.4.1 correctly supports IPv6, we recommend edge-25.7.4 for other bugfixes.

Changes

This release changes the default for outbound-transport-mode to transport-header, meaning that by default, all traffic between meshed proxies will be multiplexed on TCP port 4143 rather than using the original destination port. It also fixes a bug where installing with Helm could install Gateway API CRDs even when enableHttpRoutes, enableTcpRoutes, or enableTlsRoutes were set to false, and improves metrics around protocol declarations and protocol detection (especially when using the transport-header mode). Additionally, inbound server metrics now get a srv_port label to identify the specific port used for inbound policy.

What's Changed

Full Changelog: edge-25.3.1...edge-25.3.2

Contributors

olix0r, alpeb, and 4 other contributors
Loading

edge-25.3.1

06 Mar 22:18
@github-actions github-actions
edge-25.3.1
98bd0da
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
edge-25.3.1

NOT RECOMMENDED

Overall status: NOT RECOMMENDED, use edge-25.7.4 instead

Cautions

In this release, linkerd install --crds --set enableHttpRoutes=false will still install the HTTPRoute CRD due to a bug, and IPv6 support does not work correctly. Using linkerd install --crds --set installGatewayAPI=false will work around the install issue, but we recommend edge-25.7.4 instead for other bugfixes.

Linkerd's management of Gateway API changes in this release:

  • linkerd install --crds will not install Gateway API CRDs if any are already present on the cluster (which requires linkerd install to read from the cluster);
  • The installGatewayAPI setting is the new recommended way to control whether Linkerd installs Gateway API CRDs; and
  • If Linkerd installs the Gateway API CRDs, it will annotate them with helm.sh/resource-policy: keep to avoid downtime during upgrades.

Changes

This release changes the way Linkerd manages the Gateway API CRDs as a first step away from managing them at all: the new installGatewayAPI setting takes the place of the previous enableHttpRoutes, enableTcpRoutes, and enableTlsRoutes settings; linkerd install --crds will no longer install Gateway API CRDs if any are already present; and any Gateway API CRDs installed by Linkerd will be annotated such that Helm will not uninstall them during an upgrade.

Additionally, this version adds support for Linkerd protocol declaration, bypassing protocol detection if you set appProtocol in a Service port definition (for example, setting appProtocol to http or kubernetes.io/h2c will skip protocol detection and do HTTP). It also supports setting outbound-transport-mode to transport-header when installing Linkerd to multiplex all traffic between meshed proxies on port 4143 rather than using the original destination port. Finally, the documentation for proxy-wait-before-exit-seconds has been updated to match the website (thanks, Takumi Sue!).

What's Changed

Full Changelog: edge-25.2.3...edge-25.3.1

Contributors

olix0r, alpeb, and 5 other contributors
Loading

edge-25.2.3

27 Feb 20:52
@github-actions github-actions
edge-25.2.3
2ccaad4
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
edge-25.2.3

CAUTION

Overall status: RECOMMENDED for IPv4 sites only

Cautions

This release does not correctly support IPv6; sites that need IPv6 should use edge-25.4.1 or later instead. Additionally, if you allow Linkerd to manage Gateway API CRDs for you, this release will install Gateway API CRDs version 1.1.1 experimental.

Changes:

If you allow Linkerd to manage Gateway API CRDs for you, this release will upgrade your Gateway API CRDs to version 1.1.1 experimental. Also, you can now use appProtocol: linkerd.io/opaque in a Service port definition to mark a port as opaque.

What's Changed

Full Changelog: edge-25.2.2...edge-25.2.3

Contributors

adleong, dependabot, and 2 other contributors
Loading

edge-25.2.2

20 Feb 12:32
@github-actions github-actions
edge-25.2.2
582f1af
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
edge-25.2.2

CAUTION

Overall status: RECOMMENDED for IPv4 sites only

Cautions

This release introduces a bug that affects only IPv6; sites that need IPv6 should use edge-25.4.1 or later instead. It also changes the default tracing protocol to OpenTelemetry instead of OpenCensus.

Changes:

The default tracing protocol is now OpenTelemetry instead of OpenCensus, and the policy controller now retries errors in lease handling. We've also enabled additional runtime metrics around Kubernetes watches, and finally, in the unlikely event of overlapping Server resources, we order the resources by creation time and name (as we do for Routes).

What's Changed

Full Changelog: edge-25.2.1...edge-25.2.2

Contributors

wmorgan, olix0r, and 4 other contributors
Loading

edge-25.2.1

12 Feb 18:20
@github-actions github-actions
edge-25.2.1
faa3f61
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
edge-25.2.1

RECOMMENDED

Overall status: RECOMMENDED

Cautions

Starting with this release, the hostname label for inbound HTTP and TLS metrics will always have an empty value, and the authority label has been removed.

Changes:

This release markedly improves Linkerd's OpenTelemetry compatibility by supporting the OTEL_RESOURCE_ATTRIBUTES environment variable, correctly propagating OpenTelemetry trace attributes from the client side of a request, and better supporting OpenTelemetry trace attributes (including the pod UID and container name). It adds a new issuer_cert_ttl_seconds gauge metric to expose the time remaining until the identity issuer certificate expires (thanks, Nathan Mehl!), removes the authority label on inbound HTTP metrics, and disables the hostname label for inbound HTTP and TLS metrics (it will be present with an empty value). It also fixes a bug that could result in HTTPRoutes with no port specified ending up with stale policy information, and allows linkerd install to work without the Gateway API CRDs installed at all. Last but certainly not least, labels on mirrored Services are propagated to their mirrored versions (thanks, Maxime Brunet!) and CI got an improved codeql workflow (thanks, Scott Brenner!).

What's Changed

New Contributors

Full Changelog: edge-25.1.2...edge-25.2.1

Contributors

ScottBrenner, alpeb, and 6 other contributors
Loading

edge-25.1.2

23 Jan 13:15
@github-actions github-actions
edge-25.1.2
6714331
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
edge-25.1.2

RECOMMENDED

Overall status: RECOMMENDED

Cautions

This release changes the format of the Link resource's probeSpec.period, which means that Links created by edge-25.1.1 will not work with edge-25.1.2. Additionally, the ability to query by authority in linkerd viz stat has been removed.

Changes

This release updates OpenTelemetry trace labels to follow current HTTP semantic conventions, reduces load on the Kubernetes API server when a multicluster setup mirrors a lot of Services, and allows the CNI updateStrategy to be configured (thanks, Shane Starcher!), fixing issue 13031. It also requires the Link resource's probeSpec.period to be a GEP-2257 duration string, which means that Links created by edge-25.1.1 will not work as of this release: if you try to edit or redeploy those Links, you'll get a validation error if you don't fix the probeSpec.period. Finally, this release removes the ability to query by authority in linkerd viz stat.

What's Changed

  • build(deps): bump valuable from 0.1.0 to 0.1.1 by @dependabot in #13572
  • build(deps): bump github.com/prometheus/common from 0.61.0 to 0.62.0 by @dependabot in #13571
  • build(deps): bump the kube group with 7 updates by @dependabot in #13570
  • build(deps): bump serde_json from 1.0.135 to 1.0.137 by @dependabot in #13575
  • build(deps): bump ipnet from 2.10.1 to 2.11.0 by @dependabot in #13576
  • build(deps): bump cc from 1.2.9 to 1.2.10 by @dependabot in #13574
  • build(deps): bump DavidAnson/markdownlint-cli2-action from 19.0.0 to 19.1.0 by @dependabot in #13577
  • build(deps-dev): bump eslint-plugin-react from 7.37.3 to 7.37.4 in /web/app by @dependabot in #13573
  • build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by @dependabot in #13582
  • build(deps): bump the clap group with 2 updates by @dependabot in #13580
  • build(deps): bump github.com/briandowns/spinner from 0.0.0-20190212173954-5cf08d0ac778 to 1.23.2 by @dependabot in #13581
  • feat(helm): allow cni updateStrategy to be configurable by @sstarcher in #13562
  • fix(service-mirror): don't restart cluster watch upon Link status updates by @alpeb in #13579
  • viz: Prohibit authority resource targets in stat commands by @zaharidichev in #13578
  • fix(multicluster)!: Link's probeSpec.period should be formatted as duration by @alpeb in #13586
  • proxy: v2.276.0 by @l5d-bot in #13590

New Contributors

Full Changelog: edge-25.1.1...edge-25.1.2

Contributors

alpeb, sstarcher, and 3 other contributors
Loading

edge-25.1.1

16 Jan 22:18
@github-actions github-actions
edge-25.1.1
ba8a84c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
edge-25.1.1

NOT RECOMMENDED

Overall status: NOT RECOMMENDED, use edge-25.1.2 instead

Cautions

Link resources created by this release won't work with edge-25.1.2, so we recommend that you go directly to edge-25.1.2 rather than upgrading to this release. Additionally, this release requires that the Kubernetes API server be able to use TLS v1.3. That's been supported since Kubernetes v1.19, and Linkerd currently requires at least Kubernetes v1.22, so this shouldn't be an issue for anyone. Finally, this release also validates that proxy.runAsRoot be set if proxyInit.closeWaitTimeoutSecs is set -- this was a functional requirement anyway, but we now validate it at install time.

Changes

Welcome to 2025! This first release of the year bumps the minimum TLS version when talking to the API server to v1.3 (see the CAUTIONS above), adds proper iptables support for RHEL nodes, allows Linkerd to talk to running Pods which haven't passed readiness checks yet (thanks, Tuomo!), and allows specifying both podAnnotations per deployment (thanks, Takumi Sue!) and labels for the Viz dashboard (thanks, omer2500!). It also validates that proxy.runAsRoot is set if you try to set proxyInit.closeWaitTimeoutSecs, correctly handles proxy log levels with quotes, cleans up CLI output of port forwarding errors, adds the pod UID and proxy container name to the environment, fixes a bug with installing extensions with Helm in IPv6 clusters, and removes some unneeded CNI configuration values. Finally, thanks to Joakim Roubert for cleaning up some development shell scripting!

What's Changed

Read more

Contributors

siggy, olix0r, and 11 other contributors
Loading

edge-24.11.8

26 Nov 22:12
@github-actions github-actions
edge-24.11.8
43335fd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
edge-24.11.8

RECOMMENDED

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release bumps dependencies to change Linkerd's logic around Kubernetes leases to make sure that patches don't get stuck indefinitely.

What's Changed

Full Changelog: edge-24.11.7...edge-24.11.8

Contributors

olix0r and dependabot
Loading