edge-24.8.3

Overall status: RECOMMENDED

Cautions

N/A

Changes

In addition to dependency upgrades, this edge release has two fixes for Linkerd Viz: it correctly supports setting the group ID using the linkerd-viz Helm chart (thanks, @mozemke!) and it cleans up font downloading to avoid WAF errors.

What's Changed

• Font fixes by @kflynn in #12948
• proxy: v2.249.0 by @l5d-bot in #12966
• build(deps): bump @fortawesome/free-solid-svg-icons from 6.5.2 to 6.6.0 in /web/app by @dependabot in #12929
• build(deps): bump query-string from 9.0.0 to 9.1.0 in /web/app by @dependabot in #12930
• build(deps-dev): bump @babel/preset-env from 7.25.0 to 7.25.3 in /web/app by @dependabot in #12931
• build(deps): bump ppv-lite86 from 0.2.18 to 0.2.20 by @dependabot in #12934
• build(deps): bump regex from 1.10.5 to 1.10.6 by @dependabot in #12935
• build(deps): bump clap from 4.5.11 to 4.5.16 by @dependabot in #12962
• build(deps): bump golang.org/x/net from 0.27.0 to 0.28.0 by @dependabot in #12942
• await endpoints ready in more e2e tests to combat flakyness by @adleong in #12947
• build(deps): bump actions/upload-artifact from 4.3.5 to 4.3.6 by @dependabot in #12945
• Fix dual-stack integration test by @alpeb in #12946
• build(deps): bump github.com/docker/docker from 26.1.4+incompatible to 26.1.5+incompatible by @dependabot in #12952
• build(deps): bump serde_json from 1.0.121 to 1.0.125 by @dependabot in #12963
• build(deps): bump google-github-actions/auth from 2.1.3 to 2.1.5 by @dependabot in #12967
• build(deps): bump tj-actions/changed-files from 44.5.6 to 45.0.0 by @dependabot in #12969
• build(deps-dev): bump @babel/core from 7.24.9 to 7.25.2 in /web/app by @dependabot in #12932
• build(deps-dev): bump @babel/eslint-parser from 7.25.0 to 7.25.1 in /web/app by @dependabot in #12933
• fix: use correct key to set GID in charts by @mozemke in #12968
• build(deps): bump bytes from 1.6.1 to 1.7.1 by @dependabot in #12927
• build(deps): bump golang.org/x/tools from 0.23.0 to 0.24.0 by @dependabot in #12943
• build(deps): bump tower-service from 0.3.2 to 0.3.3 by @dependabot in #12980
• build(deps): bump cpufeatures from 0.2.12 to 0.2.13 by @dependabot in #12979
• build(deps): bump tower-layer from 0.3.2 to 0.3.3 by @dependabot in #12978
• build(deps): bump quote from 1.0.36 to 1.0.37 by @dependabot in #12976
• build(deps): bump k8s.io/apimachinery from 0.30.3 to 0.31.0 by @dependabot in #12975
• build(deps): bump libc from 0.2.155 to 0.2.158 by @dependabot in #12977
• build(deps-dev): bump @babel/preset-env from 7.25.3 to 7.25.4 in /web/app by @dependabot in #12982
• build(deps-dev): bump eslint-plugin-promise from 7.0.0 to 7.1.0 in /web/app by @dependabot in #12983
• build(deps): bump @babel/eslint-plugin from 7.24.7 to 7.25.1 in /web/app by @dependabot in #12985
• build(deps): bump serde from 1.0.204 to 1.0.209 by @dependabot in #12987
• build(deps): bump tokio from 1.39.2 to 1.39.3 by @dependabot in #12990
• build(deps): bump object from 0.36.2 to 0.36.3 by @dependabot in #12991
• build(deps): bump serde_json from 1.0.125 to 1.0.127 by @dependabot in #12992
• proxy: v2.250.0 by @l5d-bot in #12996
• build(deps-dev): bump webpack from 5.93.0 to 5.94.0 in /web/app by @dependabot in #12984
• build(deps-dev): bump @babel/runtime from 7.25.0 to 7.25.4 in /web/app by @dependabot in #12986
• build(deps): bump mio from 1.0.1 to 1.0.2 by @dependabot in #13001

New Contributors

• @mozemke made their first contribution in #12968

Full Changelog: edge-24.8.2...edge-24.8.3

edge-24.8.2

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release makes certain that Linkerd won't attempt to bind to IPv6 addresses at all unless IPv6 is enabled.

What's Changed

• build(deps): bump actions/upload-artifact from 4.3.4 to 4.3.5 by @dependabot in #12937
• Only bind to IPv6 addresses when disableIPv6=false by @alpeb in #12938

Full Changelog: edge-24.8.1...edge-24.8.2

edge-24.8.1

Overall status: RECOMMENDED

Cautions

If you don't have the GRPCRoute CRD installed at all, Linkerd will run without GRPCRoute support. If you add the CRD after starting Linkerd, you'll need to restart the control plane for Linkerd to be able to use GRPCRoutes.

Changes

This release makes GRPCRoute optional: if you don't have the GRPCRoute CRD installed, Linkerd will run without any GRPCRoute functionality rather than failing to start. It also improves the status text when an HTTPRoute is incorrectly configured with parentRef pointing to a headless service, to make this situation easier to debug, and makes certain that trace-level logs honor proxy.logHTTPHeaders.

What's Changed

• build(deps): bump tokio from 1.39.1 to 1.39.2 by @dependabot in #12907
• build(deps-dev): bump eslint-plugin-promise from 6.5.1 to 7.0.0 in /web/app by @dependabot in #12898
• build(deps-dev): bump @babel/runtime from 7.24.8 to 7.25.0 in /web/app by @dependabot in #12899
• build(deps-dev): bump chai from 4.4.1 to 4.5.0 in /web/app by @dependabot in #12900
• build(deps-dev): bump @babel/eslint-parser from 7.24.8 to 7.25.0 in /web/app by @dependabot in #12902
• build(deps): bump windows_x86_64_gnu from 0.52.5 to 0.52.6 by @dependabot in #12904
• build(deps): bump version_check from 0.9.4 to 0.9.5 by @dependabot in #12906
• build(deps): bump windows_aarch64_msvc from 0.52.5 to 0.52.6 by @dependabot in #12905
• build(deps): bump windows_i686_gnu from 0.52.5 to 0.52.6 by @dependabot in #12908
• build(deps): bump cc from 1.1.6 to 1.1.7 by @dependabot in #12909
• build(deps-dev): bump @babel/preset-env from 7.24.8 to 7.25.0 in /web/app by @dependabot in #12901
• build(deps): bump clap from 4.5.10 to 4.5.11 by @dependabot in #12910
• build(deps): bump object from 0.36.1 to 0.36.2 by @dependabot in #12911
• build(deps): bump serde_json from 1.0.120 to 1.0.121 by @dependabot in #12912
• build(deps): bump ppv-lite86 from 0.2.17 to 0.2.19 by @dependabot in #12919
• feat(proxy): Disable all header and request logging by @adleong in #12903
• Make GrpcRoute watches optional by @adleong in #12917
• proxy: v2.245.0 by @l5d-bot in #12920
• build(deps): bump github.com/docker/docker from 25.0.5+incompatible to 26.1.4+incompatible by @dependabot in #12915
• build(deps): bump google.golang.org/grpc/cmd/protoc-gen-go-grpc from 1.4.0 to 1.5.1 by @dependabot in #12913
• proxy: v2.246.0 by @l5d-bot in #12925
• downgrade away from yanked version of ppv-lite86 by @adleong in #12926
• add status message when attempting to attach to headless service by @adleong in #12918

Full Changelog: edge-24.7.5...edge-24.8.1

edge-24.7.5

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release supports Server-scoped default policy, policy audit mode, GRPCRoute, and new retry and timeout configuration (including for Gateway API resources)!

Server-scoped default policy

Server resources now have an accessPolicy field that will override the default inbound policy for any traffic associated with that Server. (The default accessPolicy is deny, for compatibility with previous releases.)

Policy audit mode

Both default inbound policy and Server accessPolicy can now be set to audit in order to allow traffic to flow, but log anything that would be denied. In the proxy's logs, you'll see INFO level logs with the tag authz.name=audit. In metrics (such as request_total) you'll see the label authz_name=audit.

GRPCRoute

edge-24.7.5 includes support for the Gateway API GRPCRoute resource. Remember that starting with edge-24.5.2, if you don't set enableHttpRoutes to false when installing, Linkerd will install the grpcroute.gateway.networking.k8s.io CRD into your cluster and remove it when Linkerd is uninstalled.

Retries

Starting in this release, you can use the retry.linkerd.io/http annotation on Service or HTTPRoute resources to enable HTTP retries. The value of this annotation is a comma-separated list of HTTP statuses to retry on (for example "502-504,511"). "5xx" is shorthand for any of the 5xx status codes, and gateway-error is shorthand for "502-504".

You can also use the retry.linkerd.io/grpc annotation on Service or GRPCRoute resources to enable gRPC retries. The value of this annotation is a comma-separated list of gRPC results to retry on (for example "cancelled,deadline-exceeded").

These are counted retries, unlike Linkerd's typical budgeted retries. Use the retry.linkerd.io/limit annotation to set the maximum number of retries, and the retry.linkerd.io/timeout annotation to set how long Linkerd will give a request before cancelling it and retrying.

Timeouts

Finally, you can configure timeouts on Service, HTTPRoute, and GRPCRoute with annotations. timeout.linkerd.io/request and timeout.linkerd.io/response set timeouts for processing the request and receiving the response; timeout.linkerd.io/idle sets the idle timeout. All currently allow values similar to GEP-2257 Duration strings, but allowing only a single unit (for example, 1500ms or 90s are allowed, but 1s500ms and 1m30s are not).

What's Changed

• build(deps): bump anstyle from 1.0.7 to 1.0.8 by @dependabot in #12894
• build(deps): bump clap_lex from 0.7.1 to 0.7.2 by @dependabot in #12892
• proxy: v2.244.0 by @l5d-bot in #12896
• Add support for retries and timeouts by @adleong in #12888
• Audit access policy implementation by @alpeb in #12846

Full Changelog: edge-24.7.4...edge-24.7.5

edge-24.7.4

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release correctly supports IPv6 in the Linkerd CNI network-validator and repair-controller containers, and continues ongoing authorization policy work and upcoming GRPCRoute support.

What's Changed

• build(deps): bump k8s.io/endpointslice from 0.30.2 to 0.30.3 by @dependabot in #12860
• Add accessPolicy field to Server CRD by @alpeb in #12845
• build(deps): bump github.com/mattn/go-runewidth from 0.0.15 to 0.0.16 by @dependabot in #12876
• build(deps): bump tj-actions/changed-files from 44.5.5 to 44.5.6 by @dependabot in #12862
• build(deps): bump openssl from 0.10.64 to 0.10.66 by @dependabot in #12870
• build(deps): bump clap from 4.5.9 to 4.5.10 by @dependabot in #12878
• build(deps): bump tokio from 1.38.1 to 1.39.1 by @dependabot in #12877
• build(deps): bump softprops/action-gh-release from 2.0.7 to 2.0.8 by @dependabot in #12861
• Configure network-validator and repair-controller to work with IPv6 by @alpeb in #12874
• build(deps): bump cc from 1.1.5 to 1.1.6 by @dependabot in #12872
• build(deps-dev): bump webpack from 5.92.1 to 5.93.0 in /web/app by @dependabot in #12865
• proxy: v2.242.0 by @l5d-bot in #12880
• build(deps-dev): bump eslint-plugin-promise from 6.4.0 to 6.5.1 in /web/app by @dependabot in #12869
• build(deps): bump @fortawesome/free-regular-svg-icons from 6.5.2 to 6.6.0 in /web/app by @dependabot in #12868
• Trigger policy tests on Rust files changes by @alpeb in #12881
• proxy: v2.243.0 by @l5d-bot in #12886
• build(deps): bump github.com/linkerd/linkerd2-proxy-api from 0.13.1 to 0.14.0 by @dependabot in #12882
• build(deps-dev): bump eslint-plugin-react from 7.34.4 to 7.35.0 in /web/app by @dependabot in #12866
• build(deps): bump @fortawesome/fontawesome-svg-core from 6.5.2 to 6.6.0 in /web/app by @dependabot in #12867

Full Changelog: edge-24.7.3...edge-24.7.4

edge-24.7.3

Overall status: RECOMMENDED

Cautions

N/A

Changes

Updates the documentation on what networkValidator.connectAddr in the Helm chart means (thanks, @djryanj!) and continues ongoing authorization policy work.

What's Changed

• Clarifies documentation on connectAddr (helm chart) by @djryanj in #12827
• build(deps): bump bytes from 1.6.0 to 1.6.1 by @dependabot in #12840
• build(deps): bump cc from 1.1.0 to 1.1.5 by @dependabot in #12841
• build(deps-dev): bump @babel/runtime from 7.24.7 to 7.24.8 in /web/app by @dependabot in #12835
• build(deps-dev): bump eslint-plugin-react from 7.34.3 to 7.34.4 in /web/app by @dependabot in #12836
• build(deps-dev): bump @babel/eslint-parser from 7.24.7 to 7.24.8 in /web/app by @dependabot in #12837
• build(deps-dev): bump @babel/preset-env from 7.24.7 to 7.24.8 in /web/app by @dependabot in #12839
• build(deps-dev): bump @babel/core from 7.24.7 to 7.24.9 in /web/app by @dependabot in #12843
• build(deps): bump tokio from 1.38.0 to 1.38.1 by @dependabot in #12850
• proxy: v2.241.0 by @l5d-bot in #12849
• New "audit" value for default inbound policy by @alpeb in #12844
• build(deps): bump security-framework-sys from 2.11.0 to 2.11.1 by @dependabot in #12842
• build(deps): bump softprops/action-gh-release from 2.0.6 to 2.0.7 by @dependabot in #12859
• build(deps): bump prometheus-client from 0.22.2 to 0.22.3 by @dependabot in #12857
• build(deps): bump thiserror from 1.0.62 to 1.0.63 by @dependabot in #12856
• build(deps): bump k8s.io/kube-aggregator from 0.30.2 to 0.30.3 by @dependabot in #12855
• build(deps): bump k8s.io/apiextensions-apiserver from 0.30.2 to 0.30.3 by @dependabot in #12851

New Contributors

• @djryanj made their first contribution in #12827

Full Changelog: edge-24.7.2...edge-24.7.3

edge-24.7.2

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release bumps dependencies but has no functional changes from edge-24.7.1.

What's Changed

• build(deps): bump serde_json from 1.0.119 to 1.0.120 by @dependabot in #12795
• build(deps): bump pest from 2.7.10 to 2.7.11 by @dependabot in #12799
• build(deps): bump google.golang.org/grpc from 1.64.0 to 1.65.0 by @dependabot in #12801
• build(deps): bump pest_derive from 2.7.10 to 2.7.11 by @dependabot in #12798
• build(deps): bump zerocopy from 0.7.34 to 0.7.35 by @dependabot in #12800
• build(deps): bump windows_i686_gnullvm from 0.52.5 to 0.52.6 by @dependabot in #12804
• build(deps-dev): bump eslint-plugin-promise from 6.2.0 to 6.4.0 in /web/app by @dependabot in #12807
• build(deps): bump golang.org/x/net from 0.26.0 to 0.27.0 by @dependabot in #12809
• build(deps): bump actions/download-artifact from 4.1.7 to 4.1.8 by @dependabot in #12811
• build(deps): bump actions/upload-artifact from 4.3.3 to 4.3.4 by @dependabot in #12812
• build(deps): bump golang.org/x/tools from 0.22.0 to 0.23.0 by @dependabot in #12810
• build(deps): bump cc from 1.0.104 to 1.0.106 by @dependabot in #12813
• build(deps): bump tinyvec from 1.6.1 to 1.8.0 by @dependabot in #12814
• build(deps): bump serde from 1.0.203 to 1.0.204 by @dependabot in #12815
• build(deps): bump clap from 4.5.8 to 4.5.9 by @dependabot in #12816
• build(deps): bump async-trait from 0.1.80 to 0.1.81 by @dependabot in #12822
• build(deps): bump darling from 0.20.9 to 0.20.10 by @dependabot in #12818
• proxy: v2.240.0 by @l5d-bot in #12823
• build(deps): bump cc from 1.0.106 to 1.1.0 by @dependabot in #12820
• build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 by @dependabot in #12829
• build(deps): bump helm.sh/helm/v3 from 3.15.2 to 3.15.3 by @dependabot in #12828
• build(deps): bump thiserror from 1.0.61 to 1.0.62 by @dependabot in #12831

Full Changelog: edge-24.7.1...edge-24.7.2

edge-24.7.1

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release continues work on upcoming GRPCRoute support and removes the empty shortnames fields from the ExternalWorkload CRD.

What's Changed

• handle httproute grpcroute conflicts by @adleong in #12782
• build(deps-dev): bump eslint-plugin-react from 7.34.2 to 7.34.3 in /web/app by @dependabot in #12762
• build(deps): bump cc from 1.0.101 to 1.0.103 by @dependabot in #12790
• build(deps): bump object from 0.36.0 to 0.36.1 by @dependabot in #12789
• build(deps-dev): bump eslint-plugin-jsx-a11y from 6.7.1 to 6.9.0 in /web/app by @dependabot in #12763
• build(deps-dev): bump webpack from 5.92.0 to 5.92.1 in /web/app by @dependabot in #12764
• build(deps): bump github.com/go-test/deep from 1.1.0 to 1.1.1 by @dependabot in #12767
• Remove empty shortnames from ExternalWorkload by @siggy in #12793
• build(deps): bump clap from 4.5.7 to 4.5.8 by @dependabot in #12788
• build(deps): bump serde_json from 1.0.118 to 1.0.119 by @dependabot in #12787
• build(deps): bump log from 0.4.21 to 0.4.22 by @dependabot in #12786
• Refactor inbound policy index in preparation for grpc support by @adleong in #12784
• build(deps): bump cc from 1.0.103 to 1.0.104 by @dependabot in #12794
• proxy: v2.239.0 by @l5d-bot in #12802
• Add gprcroute support to inbound policy API by @adleong in #12785

Full Changelog: edge-24.6.4...edge-24.7.1

edge-24.6.4

Overall status: RECOMMENDED

Cautions

It's no longer possible or necessary to explicitly set proxy-init's resource requests or limits; see the Changes section for more information.

Changes

This release changes the proxy-init container to always request the same amount of memory and CPU as the proxy itself, and removes the ability to explicitly set proxy-init's requests because there's now no need to do so. (This doesn't increase the resources required for the pod as a whole, because the proxy-init container completes before the proxy starts, letting the proxy reuse resources requested by the proxy-init container.) It also continues work on upcoming GRPCRoute support. Finally, if proxy.logHTTPHeaders is somehow empty, it correctly defaults to "off".

What's Changed

• build(deps): bump proc-macro2 from 1.0.85 to 1.0.86 by @dependabot in #12760
• Manage GrpcRoute resource status by @adleong in #12748
• Make logHTTPHeaders optional by @adleong in #12747
• feat(helm): default proxy-init resource requests to proxy values by @mateiidavid in #12741
• build(deps): bump tj-actions/changed-files from 44.5.3 to 44.5.4 by @dependabot in #12768
• build(deps): bump cc from 1.0.99 to 1.0.100 by @dependabot in #12765
• build(deps): bump lazy_static from 1.4.0 to 1.5.0 by @dependabot in #12766
• Bump linkerd-extension-init to v0.1.1 by @alpeb in #12771
• build(deps): bump tj-actions/changed-files from 44.5.4 to 44.5.5 by @dependabot in #12773
• Refactor outbound index to prepare for grpc by @adleong in #12775
• Add support for grpcroute to outbound policy by @adleong in #12761
• proxy: v2.238.0 by @l5d-bot in #12780
• build(deps): bump github.com/prometheus/common from 0.54.0 to 0.55.0 by @dependabot in #12783
• build(deps): bump tinyvec from 1.6.0 to 1.6.1 by @dependabot in #12779
• build(deps): bump either from 1.12.0 to 1.13.0 by @dependabot in #12778
• build(deps): bump serde_json from 1.0.117 to 1.0.118 by @dependabot in #12777
• build(deps): bump cc from 1.0.100 to 1.0.101 by @dependabot in #12776

Full Changelog: edge-24.6.3...edge-24.6.4

edge-24.6.3

Overall status: RECOMMENDED

Cautions

N/A

Changes

This release adds the linkerd.io/control-plane-ns label to the ext-namespace-metadata-linkerd-config Role, for parity with the other resources created when installing Linkerd.

What's Changed

• build(deps): bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 by @dependabot in #12740
• build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot in #12739
• build(deps-dev): bump @babel/runtime from 7.24.6 to 7.24.7 in /web/app by @dependabot in #12738
• build(deps-dev): bump css-loader from 7.1.1 to 7.1.2 in /web/app by @dependabot in #12737
• build(deps): bump @fortawesome/react-fontawesome from 0.2.0 to 0.2.2 in /web/app by @dependabot in #12736
• build(deps-dev): bump @babel/preset-react from 7.24.6 to 7.24.7 in /web/app by @dependabot in #12735
• build(deps-dev): bump webpack from 5.91.0 to 5.92.0 in /web/app by @dependabot in #12734
• build(deps): bump k8s.io/apiextensions-apiserver from 0.30.1 to 0.30.2 by @dependabot in #12728
• build(deps): bump github.com/gorilla/websocket from 1.5.1 to 1.5.3 by @dependabot in #12726
• build(deps): bump actions/checkout from 4.1.6 to 4.1.7 by @dependabot in #12718
• build(deps): bump ws from 7.5.5 to 7.5.10 in /web/app by @dependabot in #12745
• build(deps): bump httparse from 1.9.3 to 1.9.4 by @dependabot in #12744
• build(deps): bump miniz_oxide from 0.7.3 to 0.7.4 by @dependabot in #12743
• Add missing linkerd.io/control-plane-ns label by @klingerf in #12742
• proxy: v2.237.0 by @l5d-bot in #12752
• build(deps): bump url from 2.5.1 to 2.5.2 by @dependabot in #12750
• build(deps): bump tj-actions/changed-files from 44.5.2 to 44.5.3 by @dependabot in #12759
• build(deps): bump softprops/action-gh-release from 2.0.5 to 2.0.6 by @dependabot in #12758
• build(deps): bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 by @dependabot in #12757

Full Changelog: edge-24.6.2...edge-24.6.3