Releases: linkerd/linkerd2
edge-19.4.5
This is an edge release of Linkerd! The latest stable release is stable-2.3.0.
To install this edge release, run: curl https://run.linkerd.io/install-edge | sh
Significant Update
As of this edge release the proxy injector component is always installed.
To have the proxy injector inject a pod you still can manually add the
linkerd.io/inject: enable
annotation into the pod spec, or at the namespace
level to have all your pods be injected by default.
With this release the behavior of the linkerd inject
command changes, where
the proxy sidecar container YAML is no longer included in its output by
default, but instead it will just add the annotations to defer the injection to
the proxy injector.
For use cases that require the full injected YAML to be output, a new
--manual
flag has been added.
Another important update is the introduction of install stages. You still have
the old linkerd install
command, but now it can be broken into
linkerd install config
which installs the resources that require
cluster-level privileges, and linkerd install control-plane
that continues
with the resources that only require namespace-level privileges.
This also applies to the linkerd upgrade
command.
-
CLI
- Breaking Change: Removed the
--proxy-auto-inject
flag, as the
proxy injector is now always installed - Breaking Change: Replaced the
--linkerd-version
flag with the
--proxy-version
flag in thelinkerd install
andlinkerd upgrade
commands, which allows setting the version for the injected proxy sidecar
image, without changing the image versions for the control plane - Introduced install stages:
linkerd install config
and
linkerd install control-plane
- Introduced upgrade stages:
linkerd upgrade config
and
linkerd upgrade control-plane
- Introduced a new
--from-manifests
flag tolinkerd upgrade
allowing
manually feeding a previously saved output oflinkerd install
into the
command, instead of requiring a connection to the cluster to fetch the
config - Introduced a new
--manual
flag tolinkerd inject
to output the proxy
sidecar container spec - Introduced a new
--enable-debug-sidecar
option tolinkerd inject
, that
injects a debug sidecar to inspect traffic to and from the meshed pod - Added a new check for unschedulable pods and PSP issues (thanks, @liquidslr!)
- Disabled the spinner in
linkerd check
when running without a TTY - Ensured the ServiceAccount for the proxy injector is created before its
Deployment to avoid warnings when installing the proxy injector
(thanks, @dwj300!)
- Breaking Change: Removed the
-
Controller
- Added Go pprof HTTP endpoints to all control plane components' admin
servers to better assist debugging efforts - Fixed bug in the proxy injector, where sporadically the pod workload owner
wasn't properly determined, which would result in erroneous stats - Added support for a new
config.linkerd.io/disable-identity
annotation to
opt out of identity for a specific pod
- Added Go pprof HTTP endpoints to all control plane components' admin
-
Web UI
- Added the Font Awesome stylesheet locally; this allows both Font Awesome
and Material-UI sidebar icons to display consistently with no/limited
internet access (thanks again, @liquidslr!)
- Added the Font Awesome stylesheet locally; this allows both Font Awesome
-
Internal
- Known container errors were hidden in the integration tests; now they are
reported in the output, still without having the tests fail
- Known container errors were hidden in the integration tests; now they are
stable-2.3.0
Announcing Linkerd 2.3 🎈
This stable release introduces a new TLS-based service identity system into the
default Linkerd installation, replacing --tls=optional
and the linkerd-ca
controller. Now, proxies generate ephemeral private keys into a tmpfs directory
and dynamically refresh certificates, authenticated by Kubernetes ServiceAccount
tokens, and tied to ServiceAccounts as the identity primitive.
In this release, all meshed HTTP communication is private and authenticated by
default.
Among the many improvements to the web dashboard, we've added a Community page
to surface news and updates from linkerd.io.
For more details, see the announcement blog post:
https://linkerd.io/2019/04/16/announcing-linkerd-2.3/
To install this release, run: curl https://run.linkerd.io/install | sh
Upgrade notes: The linkerd-ca
controller has been removed in favor of the
linkerd-identity
controller. If you had previously installed Linkerd with
--tls=optional
, manually delete the linkerd-ca
deployment after upgrading.
Also, --single-namespace
mode is no longer supported. For full details on
upgrading to this release, please see the
upgrade instructions.
Special thanks to: @codeman9, @harsh-98, @huynq0911, @KatherineMelnyk,
@liquidslr, @paranoidaditya, @Pothulapati, @TwinProduction, and @yb172!
Full release notes:
- CLI
- Introduced an
upgrade
command! This allows an existing Linkerd control
plane to be reinstalled or reconfigured; it is particularly useful for
automatically reusing flags set in the previousinstall
orupgrade
- Introduced the
linkerd metrics
command for fetching proxy metrics - Breaking Change: The
--linkerd-cni-enabled
flag has been removed from
theinject
command; CNI is configured at the cluster level with the
install
command and no longer applies to theinject
command - Breaking Change Removed the
--disable-external-profiles
flag from the
install
command; external profiles are now disabled by default and can be
enabled with the new--enable-external-profiles
flag - Breaking change Removed the
--api-port
flag from theinject
and
install
commands, since there's no benefit to running the control plane's
destination API on a non-default port (thanks, @paranoidaditya) - Breaking change Removed the
--tls=optional
flag from the
linkerd install
command, since TLS is now enabled by default - Changed
install
to accept or generate an issuer Secret for the Identity
controller - Changed
install
to fail in the case of a conflict with an existing
installation; this can be disabled with the--ignore-cluster
flag - Added the ability to adjust the Prometheus log level via
--controller-log-level
- Implemented
--proxy-cpu-limit
and--proxy-memory-limit
for setting the
proxy resources limits (--proxy-cpu
and--proxy-memory
were deprecated in
favor ofproxy-cpu-request
andproxy-memory-request
) (thanks @TwinProduction!) - Added a validator for the
--proxy-log-level
flag - Updated the
inject
anduninject
subcommands to issue warnings when
resources lack aKind
property (thanks @Pothulapati!) - The
inject
command proxy options are now converted into config
annotations; the annotations ensure that these configs are persisted in
subsequent resource updates - Changed
inject
to require fetching a configuration from the control plane;
this can be disabled with the--ignore-cluster
and--disable-identity
flags, though this will prevent the injected pods from participating in mesh
identity - Included kubectl version check as part of
linkerd check
(thanks @yb172!) - Updated
linkerd check
to ensure hint URLs are displayed for RPC checks - Fixed sporadic (and harmless) race condition error in
linkerd check
- Introduced a check for NET_ADMIN in
linkerd check
- Fixed permissions check for CRDs
- Updated the
linkerd dashboard
command to serve the dashboard on a fixed
port, allowing it to leverage browser local storage for user settings - Updated the
linkerd routes
command to display rows for routes that are not
receiving any traffic - Added TCP stats to the stat command, under the
-o wide
and-o json
flags - The
stat
command now always shows the number of open TCP connections - Removed TLS metrics from the
stat
command; this is in preparation for
surfacing identity metrics in a clearer way - Exposed the
install-cni
command and its flags, and tweaked their descriptions - Eliminated false-positive vulnerability warnings related to go.uuid
- Introduced an
- Controller
- Added a new public API endpoint for fetching control plane configuration
- Breaking change Removed support for running the control plane in
single-namespace mode, which was severely limited in the number of features
it supported due to not having access to cluster-wide resources; the end
goal being Linkerd degrading gracefully depending on its privileges - Updated automatic proxy injection and CLI injection to support overriding
inject defaults via pod spec annotations - Added support for the
config.linkerd.io/proxy-version
annotation on pod
specs; this will override the injected proxy version - The auto-inject admission controller webhook is updated to watch pods
creation and update events; with this change, proxy auto-injection now works
for all kinds of workloads, including StatefulSets, DaemonSets, Jobs, etc - Service profile validation is now performed via a webhook endpoint; this
prevents Kubernetes from accepting invalid service profiles - Changed the default CPU request from
10m
to100m
for HA deployments;
this will help some intermittent liveness/readiness probes from failing due
to tight resource constraints - Updated destination service to return TLS identities only when the
destination pod is TLS-aware and is in the same controller namespace - Lessen klog level to improve security
- Updated control plane components to query Kubernetes at startup to determine
authorized namespaces and if ServiceProfile support is available - Modified the stats payload to include the following TCP stats:
tcp_open_connections
,tcp_read_bytes_total
,tcp_write_bytes_total
- Instrumented clients in the control plane connecting to Kubernetes, thus
providing better visibility for diagnosing potential problems with those
connections - Renamed the "linkerd-proxy-api" service to "linkerd-destination"
- Bumped Prometheus to version 2.7.1 and Grafana to version 5.4.3
- Proxy
- Introduced per-proxy private key generation and dynamic certificate renewal
- Fixed a connection starvation issue where TLS discovery detection on
slow or idle connections could block all other connections from being
accepted on the inbound listener of the proxy - Fixed a stream leak between the proxy and the control plane that could
cause thelinkerd-controller
pod to use an excessive amount of memory - Added a readiness check endpoint on
:4191/ready
so that Kubernetes doesn't
consider pods ready until they have acquired a certificate from the Identity
controller - Some
l5d-*
informational headers have been temporarily removed from
requests and responses because they could leak information to external
clients - The proxy's connect timeouts have been updated, especially to improve
reconnect behavior between the proxy and the control plane - Increased the inbound/router cap on MAX_CONCURRENT_STREAMS
- The
l5d-remote-ip
header is now set on inbound requests and outbound
responses - Fixed issue with proxy falling back to filesystem polling due to improperly
sized inotify buffer
- Web UI
- New Added a Community page to surface news and updates from linkerd.io
- Added a Debug page to the web dashboard, allowing you to introspect service
discovery state - The Overview page in the Linkerd dashboard now renders appropriately when
viewed on mobile devices - Added filter functionality to the metrics tables
- Added stable sorting for table rows
- Added TCP stats to the Linkerd Pod Grafana dashboard
- Added TCP stat tables on the namespace landing page and resource detail page
- The topology graph now shows TCP stats if no HTTP stats are available
- Improved table display on the resource detail page for resources with
TCP-only traffic - Updated the resource detail page to start displaying a table with TCP stats
- Modified the Grafana variable queries to use a TCP-based metric, so that
if there is only TCP traffic then the dropdowns don't end up empty - Fixed sidebar not updating when resources were added/deleted (thanks
@liquidslr!) - Added validation to the "new service profile" form (thanks @liquidslr!)
- Added a Grafana dashboard and web tables for displaying Job stats
(thanks, @Pothulapati!) - Removed TLS columns from the dashboard tables; this is in preparation for
surfacing identity metrics in a clearer way - Fixed the behavior of the Top query 'Start' button if a user's query returns
no data - Fixed an issue with the order of tables returned from a Top Routes query
- Added text wrap for paths in the modal for expanded Tap query data
- Fixed a quoting issue with service profile downloads (thanks, @liquidslr!)
- Updated sorting of route table to move default routes to the bottom
- Removed 'Help' hierarchy and surfaced links on navigation sidebar
- Ensured that all the tooltips in Grafana displaying the series are shared
across all the graphs
- Internals
- Improved the `bin/go-...
edge-19.4.4
This is an edge release of Linkerd! The latest stable release is stable-2.2.1.
To install this edge release, run: curl https://run.linkerd.io/install-edge | sh
- Proxy
- Fixed a connection starvation issue where TLS discovery detection on
slow or idle connections could block all other connections from being
accepted on the inbound listener of the proxy
- Fixed a connection starvation issue where TLS discovery detection on
- CLI
- Fixed
inject
to allow the--disable-identity
flag to be used
without having to specify the--ignore-cluster
flag
- Fixed
- Web UI
- The Overview page in the Linkerd dashboard now renders appropriately when
viewed on mobile devices
- The Overview page in the Linkerd dashboard now renders appropriately when
edge-19.4.3
This is an edge release of Linkerd! The latest stable release is stable-2.2.1.
To install this edge release, run: curl https://run.linkerd.io/install-edge | sh
- CLI
- Fixed
linkerd upgrade
command not upgrading proxy containers (thanks
@jon-walton for the issue report!) - Fixed
linkerd upgrade
command not installing the identity service when
it was not already installed - Eliminate false-positive vulnerability warnings related to go.uuid
- Fixed
Special thanks to @KatherineMelnyk for updating the web component to read the
UUID from the linkerd-config
ConfigMap!
edge-19.4.2
This is an edge release of Linkerd! The latest stable release is stable-2.2.1.
To install this edge release, run: curl https://run.linkerd.io/install-edge | sh
- CLI
- Removed TLS metrics from the
stat
command; this is in preparation for
surfacing identity metrics in a clearer way - The
upgrade
command now outputs a URL that explains next steps for
upgrading - Breaking Change: The
--linkerd-cni-enabled
flag has been removed from
theinject
command; CNI is configured at the cluster level with the
install
command and no longer applies to theinject
command
- Removed TLS metrics from the
- Controller
- Service profile validation is now performed via a webhook endpoint; this
prevents Kubernetes from accepting invalid service profiles - Added support for the
config.linkerd.io/proxy-version
annotation on pod
specs; this will override the injected proxy version - Changed the default CPU request from
10m
to100m
for HA deployments;
this will help some intermittent liveness/readiness probes from failing due
to tight resource constraints
- Service profile validation is now performed via a webhook endpoint; this
- Proxy
- The
CommonName
field on CSRs is now set to the proxy's identity name
- The
- Web UI
- Removed TLS columns from the dashboard tables; this is in preparation for
surfacing identity metrics in a clearer way
- Removed TLS columns from the dashboard tables; this is in preparation for
edge-19.4.1
This is an edge release of Linkerd! The latest stable release is stable-2.2.1.
To install this edge release, run: curl https://run.linkerd.io/install-edge | sh
- CLI
- Introduced an
upgrade
command! This allows an existing Linkerd control plane to be reinstalled or reconfigured; it is particularly useful for automatically reusing flags set in the previousinstall
orupgrade
- The
inject
command proxy options are now converted into config annotations; the annotations ensure that these configs are persisted in subsequent resource updates - The
stat
command now always shows the number of open TCP connections - Breaking Change Removed the
--disable-external-profiles
flag from theinstall
command; external profiles are now disabled by default and can be enabled with the new--enable-external-profiles
flag
- Introduced an
- Controller
- The auto-inject admission controller webhook is updated to watch pods creation and update events; with this change, proxy auto-injection now works for all kinds of workloads, including StatefulSets, DaemonSets, Jobs, etc
- Proxy
- Some
l5d-*
informational headers have been temporarily removed from requests and responses because they could leak information to external clients
- Some
- Web UI
- The topology graph now shows TCP stats if no HTTP stats are available
- The resource detail page no longer shows blank tables if the resource only has TCP traffic
- Added validation to the "new service profile" form (thanks @liquidslr!)
edge-19.3.3
This is an edge release of Linkerd! The latest stable release is stable-2.2.1.
To install this edge release, run: curl https://run.linkerd.io/install-edge | sh
Significant Update
This edge release introduces a new TLS Identity system into the default Linkerd
installation, replacing tls=optional
and the linkerd-ca
controller. Now,
proxies generate ephemeral private keys into a tmpfs directory and dynamically
refresh certificates, authenticated by Kubernetes ServiceAccount tokens, via the
newly-introduced Identity controller.
Now, all meshed HTTP communication is private and authenticated by default.
- CLI
- Changed
install
to accept or generate an issuer Secret for the Identity
controller - Changed
install
to fail in the case of a conflict with an existing
installation; this can be disabled with the--ignore-cluster
flag - Changed
inject
to require fetching a configuration from the control plane;
this can be disabled with the--ignore-cluster
and--disable-identity
flags, though this will prevent the injected pods from participating in mesh
identity - Removed the
--tls=optional
flag from thelinkerd install
command, since
TLS is now enabled by default - Added the ability to adjust the Prometheus log level
- Changed
- Proxy
- Fixed a stream leak between the proxy and the control plane that could
cause thelinkerd-controller
pod to use an excessive amount of memory - Introduced per-proxy private key generation and dynamic certificate renewal
- Added a readiness check endpoint on
:4191/ready
so that Kubernetes doesn't
consider pods ready until they have acquired a certificate from the Identity
controller - The proxy's connect timeouts have been updated, especially to improve
reconnect behavior between the proxy and the control plane
- Fixed a stream leak between the proxy and the control plane that could
- Web UI
- Added TCP stats to the Linkerd Pod Grafana dashboard
- Fixed the behavior of the Top query 'Start' button if a user's query returns
no data - Added stable sorting for table rows
- Fixed an issue with the order of tables returned from a Top Routes query
- Added text wrap for paths in the modal for expanded Tap query data
- Internal
- Improved the
bin/go-run
script for the build process so that on failure,
all associated background processes are terminated
- Improved the
Special thanks to @liquidslr for many useful UI and log changes, and to @mmalone
and @sourishkrout at @smallstep for collaboration and advice on the Identity
system!
edge-19.3.2
This is an edge release of Linkerd! The latest stable release is stable-2.2.1.
To install this edge release, run: curl https://run.linkerd.io/install-edge | sh
- Controller
- Breaking change Removed support for running the control plane in
single-namespace mode, which was severely limited in the number of features
it supported due to not having access to cluster-wide resources - Updated automatic proxy injection and CLI injection to support overriding
inject defaults via pod spec annotations - Added a new public API endpoint for fetching control plane configuration
- Breaking change Removed support for running the control plane in
- CLI
- Breaking change Removed the
--api-port
flag from theinject
and
install
commands, since there's no benefit to running the control plane's
destination API on a non-default port (thanks, @paranoidaditya) - Introduced the
linkerd metrics
command for fetching proxy metrics - Updated the
linkerd routes
command to display rows for routes that are not
receiving any traffic - Updated the
linkerd dashboard
command to serve the dashboard on a fixed
port, allowing it to leverage browser local storage for user settings
- Breaking change Removed the
- Web UI
- New Added a Community page to surface news and updates from linkerd.io
- Fixed a quoting issue with service profile downloads (thanks, @liquidslr!)
- Added a Grafana dashboard and web tables for displaying Job stats
(thanks, @Pothulapati!) - Updated sorting of route table to move default routes to the bottom
- Added TCP stat tables on the namespace landing page and resource detail page
edge-19.3.1
This is an edge release of Linkerd! The latest stable release is stable-2.2.1.
To install this edge release, run: curl https://run.linkerd.io/install-edge | sh
- CLI
- Introduced a check for NET_ADMIN in
linkerd check
- Fixed permissions check for CRDs
- Included kubectl version check as part of
linkerd check
(thanks @yb172!) - Added TCP stats to the stat command, under the
-o wide
and-o json
flags
- Introduced a check for NET_ADMIN in
- Controller
- Updated the
mutatingwebhookconfiguration
so that it is recreated when the
proxy injector is restarted, so that the MWC always picks up the latest
config template during version upgrade
- Updated the
- Proxy
- Increased the inbound/router cap on MAX_CONCURRENT_STREAMS
- The
l5d-remote-ip
header is now set on inbound requests and outbound
responses
- Web UI
- Fixed sidebar not updating when resources were added/deleted (thanks
@liquidslr!) - Added filter functionality to the metrics tables
- Fixed sidebar not updating when resources were added/deleted (thanks
- Internal
- Added more log errors to the integration tests
- Removed the GOPATH dependence from the CLI dev environment
- Consolidated injection code from CLI and admission controller code paths
edge-19.2.5
This is an edge release of Linkerd! The latest stable release is stable-2.2.1.
To install this edge release, run: curl https://run.linkerd.io/install-edge | sh
- CLI
- Updated
linkerd check
to ensure hint URLs are displayed for RPC checks
- Updated
- Controller
- Updated the auto-inject admission controller webhook to respond to UPDATE
events for deployment workloads - Updated destination service to return TLS identities only when the
destination pod is TLS-aware and is in the same controller namespace - Lessen klog level to improve security
- Updated control-plane components to query Kubernetes at startup to determine
authorized namespaces and if ServiceProfile support is available - Modified the stats payload to include the following TCP stats:
tcp_open_connections
,tcp_read_bytes_total
,tcp_write_bytes_total
- Updated the auto-inject admission controller webhook to respond to UPDATE
- Proxy
- Fixed issue with proxy falling back to filesystem polling due to improperly
sized inotify buffer
- Fixed issue with proxy falling back to filesystem polling due to improperly
- Web UI
- Removed 'Help' hierarchy and surfaced links on navigation sidebar
- Added a Debug page to the web dashboard, allowing you to introspect service discovery state
- Updated the resource detail page to start displaying a table with TCP stats
- Internal
- Enabled the following linters:
unparam
,unconvert
,goimports
,
goconst
,scopelint
,unused
,gosimple
- Bumped base Docker images
- Enabled the following linters: