edge-24.7.5

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release supports Server-scoped default policy, policy audit mode, GRPCRoute, and new retry and timeout configuration (including for Gateway API resources)!

Server-scoped default policy

Server resources now have an accessPolicy field that will override the default inbound policy for any traffic associated with that Server. (The default accessPolicy is deny, for compatibility with previous releases.)

Policy audit mode

Both default inbound policy and Server accessPolicy can now be set to audit in order to allow traffic to flow, but log anything that would be denied. In the proxy's logs, you'll see INFO level logs with the tag authz.name=audit. In metrics (such as request_total) you'll see the label authz_name=audit.

GRPCRoute

edge-24.7.5 includes support for the Gateway API GRPCRoute resource. Remember that starting with edge-24.5.2, if you don't set enableHttpRoutes to false when installing, Linkerd will install the grpcroute.gateway.networking.k8s.io CRD into your cluster and remove it when Linkerd is uninstalled.

Retries

Starting in this release, you can use the retry.linkerd.io/http annotation on Service or HTTPRoute resources to enable HTTP retries. The value of this annotation is a comma-separated list of HTTP statuses to retry on (for example "502-504,511"). "5xx" is shorthand for any of the 5xx status codes, and gateway-error is shorthand for "502-504".

You can also use the retry.linkerd.io/grpc annotation on Service or GRPCRoute resources to enable gRPC retries. The value of this annotation is a comma-separated list of gRPC results to retry on (for example "cancelled,deadline-exceeded").

These are counted retries, unlike Linkerd's typical budgeted retries. Use the retry.linkerd.io/limit annotation to set the maximum number of retries, and the retry.linkerd.io/timeout annotation to set how long Linkerd will give a request before cancelling it and retrying.

Timeouts

Finally, you can configure timeouts on Service, HTTPRoute, and GRPCRoute with annotations. timeout.linkerd.io/request and timeout.linkerd.io/response set timeouts for processing the request and receiving the response; timeout.linkerd.io/idle sets the idle timeout. All currently allow values similar to GEP-2257 Duration strings, but allowing only a single unit (for example, 1500ms or 90s are allowed, but 1s500ms and 1m30s are not).

What's Changed

• build(deps): bump anstyle from 1.0.7 to 1.0.8 by @dependabot in #12894
• build(deps): bump clap_lex from 0.7.1 to 0.7.2 by @dependabot in #12892
• proxy: v2.244.0 by @l5d-bot in #12896
• Add support for retries and timeouts by @adleong in #12888
• Audit access policy implementation by @alpeb in #12846

Full Changelog: edge-24.7.4...edge-24.7.5

edge-24.7.4

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release correctly supports IPv6 in the Linkerd CNI network-validator and repair-controller containers, and continues ongoing authorization policy work and upcoming GRPCRoute support.

What's Changed

• build(deps): bump k8s.io/endpointslice from 0.30.2 to 0.30.3 by @dependabot in #12860
• Add accessPolicy field to Server CRD by @alpeb in #12845
• build(deps): bump github.com/mattn/go-runewidth from 0.0.15 to 0.0.16 by @dependabot in #12876
• build(deps): bump tj-actions/changed-files from 44.5.5 to 44.5.6 by @dependabot in #12862
• build(deps): bump openssl from 0.10.64 to 0.10.66 by @dependabot in #12870
• build(deps): bump clap from 4.5.9 to 4.5.10 by @dependabot in #12878
• build(deps): bump tokio from 1.38.1 to 1.39.1 by @dependabot in #12877
• build(deps): bump softprops/action-gh-release from 2.0.7 to 2.0.8 by @dependabot in #12861
• Configure network-validator and repair-controller to work with IPv6 by @alpeb in #12874
• build(deps): bump cc from 1.1.5 to 1.1.6 by @dependabot in #12872
• build(deps-dev): bump webpack from 5.92.1 to 5.93.0 in /web/app by @dependabot in #12865
• proxy: v2.242.0 by @l5d-bot in #12880
• build(deps-dev): bump eslint-plugin-promise from 6.4.0 to 6.5.1 in /web/app by @dependabot in #12869
• build(deps): bump @fortawesome/free-regular-svg-icons from 6.5.2 to 6.6.0 in /web/app by @dependabot in #12868
• Trigger policy tests on Rust files changes by @alpeb in #12881
• proxy: v2.243.0 by @l5d-bot in #12886
• build(deps): bump github.com/linkerd/linkerd2-proxy-api from 0.13.1 to 0.14.0 by @dependabot in #12882
• build(deps-dev): bump eslint-plugin-react from 7.34.4 to 7.35.0 in /web/app by @dependabot in #12866
• build(deps): bump @fortawesome/fontawesome-svg-core from 6.5.2 to 6.6.0 in /web/app by @dependabot in #12867

Full Changelog: edge-24.7.3...edge-24.7.4

edge-24.7.3

Overall status: RECOMMENDED

Cautions

N/A

Changes

Updates the documentation on what networkValidator.connectAddr in the Helm chart means (thanks, @djryanj!) and continues ongoing authorization policy work.

What's Changed

• Clarifies documentation on connectAddr (helm chart) by @djryanj in #12827
• build(deps): bump bytes from 1.6.0 to 1.6.1 by @dependabot in #12840
• build(deps): bump cc from 1.1.0 to 1.1.5 by @dependabot in #12841
• build(deps-dev): bump @babel/runtime from 7.24.7 to 7.24.8 in /web/app by @dependabot in #12835
• build(deps-dev): bump eslint-plugin-react from 7.34.3 to 7.34.4 in /web/app by @dependabot in #12836
• build(deps-dev): bump @babel/eslint-parser from 7.24.7 to 7.24.8 in /web/app by @dependabot in #12837
• build(deps-dev): bump @babel/preset-env from 7.24.7 to 7.24.8 in /web/app by @dependabot in #12839
• build(deps-dev): bump @babel/core from 7.24.7 to 7.24.9 in /web/app by @dependabot in #12843
• build(deps): bump tokio from 1.38.0 to 1.38.1 by @dependabot in #12850
• proxy: v2.241.0 by @l5d-bot in #12849
• New "audit" value for default inbound policy by @alpeb in #12844
• build(deps): bump security-framework-sys from 2.11.0 to 2.11.1 by @dependabot in #12842
• build(deps): bump softprops/action-gh-release from 2.0.6 to 2.0.7 by @dependabot in #12859
• build(deps): bump prometheus-client from 0.22.2 to 0.22.3 by @dependabot in #12857
• build(deps): bump thiserror from 1.0.62 to 1.0.63 by @dependabot in #12856
• build(deps): bump k8s.io/kube-aggregator from 0.30.2 to 0.30.3 by @dependabot in #12855
• build(deps): bump k8s.io/apiextensions-apiserver from 0.30.2 to 0.30.3 by @dependabot in #12851

New Contributors

• @djryanj made their first contribution in #12827

Full Changelog: edge-24.7.2...edge-24.7.3

edge-24.7.2

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release bumps dependencies but has no functional changes from edge-24.7.1.

What's Changed

• build(deps): bump serde_json from 1.0.119 to 1.0.120 by @dependabot in #12795
• build(deps): bump pest from 2.7.10 to 2.7.11 by @dependabot in #12799
• build(deps): bump google.golang.org/grpc from 1.64.0 to 1.65.0 by @dependabot in #12801
• build(deps): bump pest_derive from 2.7.10 to 2.7.11 by @dependabot in #12798
• build(deps): bump zerocopy from 0.7.34 to 0.7.35 by @dependabot in #12800
• build(deps): bump windows_i686_gnullvm from 0.52.5 to 0.52.6 by @dependabot in #12804
• build(deps-dev): bump eslint-plugin-promise from 6.2.0 to 6.4.0 in /web/app by @dependabot in #12807
• build(deps): bump golang.org/x/net from 0.26.0 to 0.27.0 by @dependabot in #12809
• build(deps): bump actions/download-artifact from 4.1.7 to 4.1.8 by @dependabot in #12811
• build(deps): bump actions/upload-artifact from 4.3.3 to 4.3.4 by @dependabot in #12812
• build(deps): bump golang.org/x/tools from 0.22.0 to 0.23.0 by @dependabot in #12810
• build(deps): bump cc from 1.0.104 to 1.0.106 by @dependabot in #12813
• build(deps): bump tinyvec from 1.6.1 to 1.8.0 by @dependabot in #12814
• build(deps): bump serde from 1.0.203 to 1.0.204 by @dependabot in #12815
• build(deps): bump clap from 4.5.8 to 4.5.9 by @dependabot in #12816
• build(deps): bump async-trait from 0.1.80 to 0.1.81 by @dependabot in #12822
• build(deps): bump darling from 0.20.9 to 0.20.10 by @dependabot in #12818
• proxy: v2.240.0 by @l5d-bot in #12823
• build(deps): bump cc from 1.0.106 to 1.1.0 by @dependabot in #12820
• build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 by @dependabot in #12829
• build(deps): bump helm.sh/helm/v3 from 3.15.2 to 3.15.3 by @dependabot in #12828
• build(deps): bump thiserror from 1.0.61 to 1.0.62 by @dependabot in #12831

Full Changelog: edge-24.7.1...edge-24.7.2

edge-24.7.1

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release continues work on upcoming GRPCRoute support and removes the empty shortnames fields from the ExternalWorkload CRD.

What's Changed

• handle httproute grpcroute conflicts by @adleong in #12782
• build(deps-dev): bump eslint-plugin-react from 7.34.2 to 7.34.3 in /web/app by @dependabot in #12762
• build(deps): bump cc from 1.0.101 to 1.0.103 by @dependabot in #12790
• build(deps): bump object from 0.36.0 to 0.36.1 by @dependabot in #12789
• build(deps-dev): bump eslint-plugin-jsx-a11y from 6.7.1 to 6.9.0 in /web/app by @dependabot in #12763
• build(deps-dev): bump webpack from 5.92.0 to 5.92.1 in /web/app by @dependabot in #12764
• build(deps): bump github.com/go-test/deep from 1.1.0 to 1.1.1 by @dependabot in #12767
• Remove empty shortnames from ExternalWorkload by @siggy in #12793
• build(deps): bump clap from 4.5.7 to 4.5.8 by @dependabot in #12788
• build(deps): bump serde_json from 1.0.118 to 1.0.119 by @dependabot in #12787
• build(deps): bump log from 0.4.21 to 0.4.22 by @dependabot in #12786
• Refactor inbound policy index in preparation for grpc support by @adleong in #12784
• build(deps): bump cc from 1.0.103 to 1.0.104 by @dependabot in #12794
• proxy: v2.239.0 by @l5d-bot in #12802
• Add gprcroute support to inbound policy API by @adleong in #12785

Full Changelog: edge-24.6.4...edge-24.7.1

edge-24.6.4

Overall status: RECOMMENDED

Cautions

It's no longer possible or necessary to explicitly set proxy-init's resource requests or limits; see the Changes section for more information.

Changes

This release changes the proxy-init container to always request the same amount of memory and CPU as the proxy itself, and removes the ability to explicitly set proxy-init's requests because there's now no need to do so. (This doesn't increase the resources required for the pod as a whole, because the proxy-init container completes before the proxy starts, letting the proxy reuse resources requested by the proxy-init container.) It also continues work on upcoming GRPCRoute support. Finally, if proxy.logHTTPHeaders is somehow empty, it correctly defaults to "off".

What's Changed

• build(deps): bump proc-macro2 from 1.0.85 to 1.0.86 by @dependabot in #12760
• Manage GrpcRoute resource status by @adleong in #12748
• Make logHTTPHeaders optional by @adleong in #12747
• feat(helm): default proxy-init resource requests to proxy values by @mateiidavid in #12741
• build(deps): bump tj-actions/changed-files from 44.5.3 to 44.5.4 by @dependabot in #12768
• build(deps): bump cc from 1.0.99 to 1.0.100 by @dependabot in #12765
• build(deps): bump lazy_static from 1.4.0 to 1.5.0 by @dependabot in #12766
• Bump linkerd-extension-init to v0.1.1 by @alpeb in #12771
• build(deps): bump tj-actions/changed-files from 44.5.4 to 44.5.5 by @dependabot in #12773
• Refactor outbound index to prepare for grpc by @adleong in #12775
• Add support for grpcroute to outbound policy by @adleong in #12761
• proxy: v2.238.0 by @l5d-bot in #12780
• build(deps): bump github.com/prometheus/common from 0.54.0 to 0.55.0 by @dependabot in #12783
• build(deps): bump tinyvec from 1.6.0 to 1.6.1 by @dependabot in #12779
• build(deps): bump either from 1.12.0 to 1.13.0 by @dependabot in #12778
• build(deps): bump serde_json from 1.0.117 to 1.0.118 by @dependabot in #12777
• build(deps): bump cc from 1.0.100 to 1.0.101 by @dependabot in #12776

Full Changelog: edge-24.6.3...edge-24.6.4

edge-24.6.3

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release adds the linkerd.io/control-plane-ns label to the ext-namespace-metadata-linkerd-config Role, for parity with the other resources created when installing Linkerd.

What's Changed

• build(deps): bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 by @dependabot in #12740
• build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot in #12739
• build(deps-dev): bump @babel/runtime from 7.24.6 to 7.24.7 in /web/app by @dependabot in #12738
• build(deps-dev): bump css-loader from 7.1.1 to 7.1.2 in /web/app by @dependabot in #12737
• build(deps): bump @fortawesome/react-fontawesome from 0.2.0 to 0.2.2 in /web/app by @dependabot in #12736
• build(deps-dev): bump @babel/preset-react from 7.24.6 to 7.24.7 in /web/app by @dependabot in #12735
• build(deps-dev): bump webpack from 5.91.0 to 5.92.0 in /web/app by @dependabot in #12734
• build(deps): bump k8s.io/apiextensions-apiserver from 0.30.1 to 0.30.2 by @dependabot in #12728
• build(deps): bump github.com/gorilla/websocket from 1.5.1 to 1.5.3 by @dependabot in #12726
• build(deps): bump actions/checkout from 4.1.6 to 4.1.7 by @dependabot in #12718
• build(deps): bump ws from 7.5.5 to 7.5.10 in /web/app by @dependabot in #12745
• build(deps): bump httparse from 1.9.3 to 1.9.4 by @dependabot in #12744
• build(deps): bump miniz_oxide from 0.7.3 to 0.7.4 by @dependabot in #12743
• Add missing linkerd.io/control-plane-ns label by @klingerf in #12742
• proxy: v2.237.0 by @l5d-bot in #12752
• build(deps): bump url from 2.5.1 to 2.5.2 by @dependabot in #12750
• build(deps): bump tj-actions/changed-files from 44.5.2 to 44.5.3 by @dependabot in #12759
• build(deps): bump softprops/action-gh-release from 2.0.5 to 2.0.6 by @dependabot in #12758
• build(deps): bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 by @dependabot in #12757

Full Changelog: edge-24.6.2...edge-24.6.3

edge-24.6.2

Overall status: RECOMMENDED

Cautions

This release includes one breaking change: the proxy's /shutdown endpoint is now disabled by default. See Changes for how to reenable it.

Changes

This release disables the proxy's /shutdown endpoint by default; it can be reenabled by using --set proxy.enableShutdownEndpoint=true when installing or upgrading. Beyond that, it fixes several bugs: EndpointSlices with no hostname field are supported (thanks, Adrian Callejas!), DNS resolution errors are correctly logged (and the resolver's log level can be configured), the proxy's administration endpoints function correctly on systems using IPv4-mapped IPv6, and the init container and CNI plugin will not attempt to start on systems that configure IPv6 but don't support ip6tables. Finally, it supports controlling whether or not HTTP headers are logged in debug output (with the default being "not"), JSON output for the link, unlink, allow, and allow-scrapes CLI commands, and fixes a typo in the output of linkerd diagnostics (thanks, John Howard!)

What's Changed

• build(deps): bump cc from 1.0.98 to 1.0.99 by @dependabot in #12699
• build(deps): bump regex from 1.10.4 to 1.10.5 by @dependabot in #12698
• add nil check when reading endpoint hostname by @adleong in #12689
• build(deps): bump @babel/eslint-plugin from 7.24.6 to 7.24.7 in /web/app by @dependabot in #12692
• build(deps-dev): bump @babel/preset-env from 7.24.6 to 7.24.7 in /web/app by @dependabot in #12693
• build(deps-dev): bump @babel/eslint-parser from 7.24.6 to 7.24.7 in /web/app by @dependabot in #12694
• build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.2.0 in /web/app by @dependabot in #12696
• build(deps): bump braces from 3.0.2 to 3.0.3 in /web/app by @dependabot in #12700
• build(deps-dev): bump @babel/core from 7.24.6 to 7.24.7 in /web/app by @dependabot in #12695
• build(deps): bump httparse from 1.8.0 to 1.9.2 by @dependabot in #12703
• build(deps): bump clap from 4.5.6 to 4.5.7 by @dependabot in #12701
• Add config to disable HTTP proxy logging by @adleong in #12665
• proxy: v2.235.0 by @l5d-bot in #12707
• Bump proxy-init to v2.4.1 and cni-plugin to v1.5.1 by @alpeb in #12711
• build(deps): bump k8s.io/kube-aggregator from 0.30.1 to 0.30.2 by @dependabot in #12715
• build(deps): bump helm.sh/helm/v3 from 3.15.1 to 3.15.2 by @dependabot in #12714
• build(deps): bump httparse from 1.9.2 to 1.9.3 by @dependabot in #12708
• build(deps): bump memchr from 2.7.2 to 2.7.4 by @dependabot in #12725
• build(deps): bump url from 2.5.0 to 2.5.1 by @dependabot in #12702
• build(deps): bump backtrace from 0.3.72 to 0.3.73 by @dependabot in #12716
• build(deps): bump codecov/codecov-action from 4.4.1 to 4.5.0 by @dependabot in #12730
• build(deps): bump k8s.io/endpointslice from 0.30.1 to 0.30.2 by @dependabot in #12729
• build(deps): bump google.golang.org/protobuf from 1.34.1 to 1.34.2 by @dependabot in #12706
• chore: Update deny.toml to allow the Unicode license by @olix0r in #12732
• proxy: v2.236.0 by @l5d-bot in #12731
• Fix typo in diagnostics command by @howardjohn in #12723
• Properly set log level for hickory_resolver in proxy by @alpeb in #12722
• feat(cli): Add json output to link, unlink, allow, and allow-scrapes commands by @adleong in #12658
• feat!: Add config to disable proxy /shutdown admin endpoint by @adleong in #12705

New Contributors

• @howardjohn made their first contribution in #12723

Full Changelog: edge-24.6.1...edge-24.6.2

edge-24.6.1

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release adds support for JSON output to linkerd install and related commands.

What's Changed

• build(deps): bump proc-macro2 from 1.0.84 to 1.0.85 by @dependabot in #12675
• build(deps): bump google.golang.org/grpc/cmd/protoc-gen-go-grpc from 1.3.0 to 1.4.0 by @dependabot in #12676
• build(deps-dev): bump @babel/preset-react from 7.24.1 to 7.24.6 in /web/app by @dependabot in #12674
• build(deps-dev): bump eslint-webpack-plugin from 4.1.0 to 4.2.0 in /web/app by @dependabot in #12673
• build(deps): bump core-js from 3.37.0 to 3.37.1 in /web/app by @dependabot in #12671
• refactor(status): make route types generic by @the-wondersmith in #12661
• Add json output to install and related commands by @adleong in #12641
• build(deps): bump openssl-src from 300.3.0+3.3.0 to 300.3.1+3.3.1 by @dependabot in #12684
• proxy: v2.234.0 by @l5d-bot in #12685
• refactor(policy): generalize route types in outbound index by @the-wondersmith in #12664
• build(deps-dev): bump eslint-plugin-react from 7.34.1 to 7.34.2 in /web/app by @dependabot in #12672
• build(deps-dev): bump @babel/preset-env from 7.24.5 to 7.24.6 in /web/app by @dependabot in #12670
• build(deps): bump github.com/prometheus/common from 0.53.0 to 0.54.0 by @dependabot in #12678
• build(deps): bump golang.org/x/net from 0.25.0 to 0.26.0 by @dependabot in #12682
• build(deps): bump golang.org/x/tools from 0.21.0 to 0.22.0 by @dependabot in #12683
• build(deps): bump clap from 4.5.4 to 4.5.6 by @dependabot in #12691
• build(deps): bump clap_lex from 0.7.0 to 0.7.1 by @dependabot in #12690

Full Changelog: edge-24.5.5...edge-24.6.1

edge-24.5.5

Overall status: RECOMMENDED

Cautions

In this release, IPv6 is off by default for the entire control plane. To use IPv6, you'll need to explicitly set it -- see the Changes section below.

Changes

This release switches IPv6 off by default for the entire control plane, including the Linkerd CNI plugin. Set disableIPv6 to false to enable IPv6.

What's Changed

• build(deps): bump helm.sh/helm/v3 from 3.15.0 to 3.15.1 by @dependabot in #12645
• build(deps): bump schemars from 0.8.20 to 0.8.21 by @dependabot in #12644
• build(deps): bump tj-actions/changed-files from 44.5.0 to 44.5.1 by @dependabot in #12655
• build(deps): bump serde from 1.0.202 to 1.0.203 by @dependabot in #12654
• build(deps-dev): bump @babel/core from 7.24.5 to 7.24.6 in /web/app by @dependabot in #12646
• build(deps): bump @babel/eslint-plugin from 7.24.5 to 7.24.6 in /web/app by @dependabot in #12647
• build(deps-dev): bump @babel/runtime from 7.24.5 to 7.24.6 in /web/app by @dependabot in #12648
• build(deps-dev): bump sinon from 17.0.2 to 18.0.0 in /web/app by @dependabot in #12650
• build(deps): bump parking_lot from 0.12.2 to 0.12.3 by @dependabot in #12651
• build(deps): bump proc-macro2 from 1.0.83 to 1.0.84 by @dependabot in #12652
• build(deps): bump zeroize from 1.7.0 to 1.8.1 by @dependabot in #12653
• build(deps-dev): bump @babel/eslint-parser from 7.24.5 to 7.24.6 in /web/app by @dependabot in #12649
• IPv6/dual-stack integration tests by @alpeb in #12575
• build(deps): bump backtrace from 0.3.71 to 0.3.72 by @dependabot in #12659
• Make IPv6 support opt-in in linkerd-cni by @alpeb in #12663
• build(deps): bump tj-actions/changed-files from 44.5.1 to 44.5.2 by @dependabot in #12667
• build(deps): bump tokio from 1.37.0 to 1.38.0 by @dependabot in #12666

Full Changelog: edge-24.5.4...edge-24.5.5