[ { "path": ".devcontainer/README.md", "content": "# devcontainer\n\nThis directory provides a _devcontainer_ configuration that configures a\nreproducible development environment for this project.\n\nThe devcontainer configuration is maintained in the\n[linkerd/dev](https://github.com/linkerd/dev) repository.\n\n## Docker\n\nThis configuration currently uses the parent host's Docker daemon (rather than\nrunning a separate docker daemon within in the container). It creates\ndevcontainers on the host network so it's easy to use k3d clusters hosted in the\nparent host's docker daemon.\n\n## Customizing\n\nThis configuration is supposed to provide a minimal setup without catering to\nany one developer's personal tastes. Devcontainers can be extended with per-user\nconfiguration.\n\nTo add your own extensions to the devcontainer, configure default extensions in\nyour VS Code settings:\n\n```jsonc\n \"remote.containers.defaultExtensions\": [\n \"eamodio.gitlens\",\n \"GitHub.copilot\",\n \"GitHub.vscode-pull-request-github\",\n \"mutantdino.resourcemonitor\",\n \"stateful.edge\"\n ],\n```\n\nFurthermore, you can configure a _dotfiles_ repository to perform customizations\nwith a configuration like:\n\n```jsonc\n \"dotfiles.repository\": \"https://github.com/olix0r/dotfiles.git\",\n```\n" }, { "path": ".devcontainer/devcontainer.json", "content": "{\n \"name\": \"linkerd2\",\n \"image\": \"ghcr.io/linkerd/dev:v48\",\n // \"dockerFile\": \"./Dockerfile\",\n // \"context\": \"..\",\n \"features\": {\n \"ghcr.io/devcontainers/features/github-cli:1\": {}\n },\n \"customizations\": {\n \"vscode\": {\n \"extensions\": [\n \"DavidAnson.vscode-markdownlint\",\n \"golang.go\",\n \"kokakiwi.vscode-just\",\n \"ms-kubernetes-tools.vscode-kubernetes-tools\",\n \"NathanRidley.autotrim\",\n \"rust-lang.rust-analyzer\",\n \"samverschueren.final-newline\",\n \"tamasfe.even-better-toml\",\n \"zxh404.vscode-proto3\"\n ],\n \"settings\": {\n \"go.lintTool\": \"golangci-lint\",\n // TODO(ver) Find a way to enforce YAML formatting.\n // See https://github.com/redhat-developer/vscode-yaml/discussions/839\n \"yaml.format.enable\": false\n }\n }\n },\n \"runArgs\": [\n \"--init\",\n // Limit container memory usage.\n \"--memory=12g\",\n \"--memory-swap=12g\",\n // Use the host network so we can access k3d, etc.\n \"--net=host\",\n // For lldb\n \"--cap-add=SYS_PTRACE\",\n \"--security-opt=seccomp=unconfined\"\n ],\n \"overrideCommand\": false,\n \"remoteUser\": \"code\",\n \"mounts\": [\n \"source=/var/run/docker.sock,target=/var/run/docker-host.sock,type=bind\"\n ]\n}\n" }, { "path": ".dockerignore", "content": ".git\n.github\n**/.idea\n**/cmake-*\n**/CMakeLists.txt\n*.iml\n**/node_modules\nbin\n!bin/action-dev-check\n!bin/fetch-proxy\n!bin/install-deps\n!bin/scurl\n!bin/web\n**/Dockerfile*\nDockerfile*\n**/target\ntarget\n!target/docker-build\nweb/app/dist\nweb/app/yarn-error.log\nvendor\n" }, { "path": ".editorconfig", "content": "# top-most EditorConfig file\nroot = true\n\n[*]\nend_of_line = lf\ninsert_final_newline = true\ntrim_trailing_whitespace = true\ncharset = utf-8\nindent_style = space\nindent_size = 4\n\n# Go code uses tabs. Display with 4 space indentation in editors and on GitHub\n# (see https://github.com/isaacs/github/issues/170#issuecomment-150489692).\n[*.go]\nindent_style = tab\n\n[*.jsx]\nindent_size = 2\nindent_style = space\n\n[*.js]\nindent_size = 2\nindent_style = space\n\n[*.css]\nindent_size = 2\nindent_style = space\n\n[*.yml]\nindent_size = 2\n\n[*.yaml]\nindent_size = 2\n\n[*.proto]\nindent_size = 2\nindent_style = space\n" }, { "path": ".gitattributes", "content": "# Expand these files in PRs:\ngo.sum linguist-generated=false\n**/Cargo.lock linguist-generated=false\n# Collapse these files in PRs:\ncontroller/gen/**/*.pb.go linguist-generated=true\n**/*.golden linguist-generated=true\n**/*.golden.yml linguist-generated=true\ncontroller/proxy-injector/fake/data/* linguist-generated=true\n" }, { "path": ".github/CODEOWNERS", "content": "# By default, the maintainers group is responsible for everything.\n* @linkerd/maintainers\n" }, { "path": ".github/ISSUE_TEMPLATE/bug_report.yml", "content": "name: \"🐛 Bug Report\"\ndescription: If you've found a reproducible bug\nlabels: [\"bug\"]\nbody:\n - type: markdown\n attributes:\n value: |\n Thanks for taking the time to file a bug report!\n\n We're most likely to fix bugs that are easy to reproduce, so please try\n to provide enough information for us to understand how to reproduce the\n issue. Example Kubernetes manifests are encouraged!\n\n - type: textarea\n attributes:\n label: What is the issue?\n description: |\n A clear and concise description of what Linkerd is doing and what you\n would expect.\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: How can it be reproduced?\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: Logs, error output, etc\n description: |\n If the output is long, please create a [gist](https://gist.github.com/)\n and paste the link here.\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: output of `linkerd check -o short`\n placeholder: |\n ```text\n your output here ...\n ```\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: Environment\n placeholder: |\n - Kubernetes Version:\n - Cluster Environment: (GKE, AKS, kops, ...)\n - Host OS:\n - Linkerd version:\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: Possible solution\n description: \"If you have suggestions on a fix for the bug.\"\n\n - type: textarea\n attributes:\n label: Additional context\n description: \"Add any other context about the problem here. Or a screenshot if applicable.\"\n\n - type: dropdown\n attributes:\n label: Would you like to work on fixing this bug?\n description: We are more than happy to help you through the process.\n options:\n - \"yes\"\n - \"no\"\n - \"maybe\"\n" }, { "path": ".github/ISSUE_TEMPLATE/config.yml", "content": "blank_issues_enabled: false\ncontact_links:\n- name: 🙋🏾 Question\n url: https://github.com/linkerd/linkerd2/discussions/new\n about: If you need help debugging something or have a general question about Linkerd\n" }, { "path": ".github/ISSUE_TEMPLATE/feature_request.yml", "content": "name: \"💡 Feature Request\"\ndescription: If you have a suggestion for how to improve Linkerd\nlabels: [\"enhancement\"]\nbody:\n - type: markdown\n attributes:\n value: |\n Thanks for taking the time to suggest a new feature! Please fill out this form as completely as possible.\n\n Please search to see if an issue already exists for the feature you are suggesting.\n\n - type: textarea\n attributes:\n label: What problem are you trying to solve?\n description: A concise description of what the problem is.\n placeholder: I have an issue when [...]\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: How should the problem be solved?\n description: What do you want to happen? Add any considered drawbacks.\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: Any alternatives you've considered?\n description: Is there another way to solve this problem that isn't as good a solution?\n validations:\n required: true\n\n - type: textarea\n attributes:\n label: How would users interact with this feature?\n description: If you can, explain how users will be able to use this. Maybe come sample CLI output?\n\n - type: dropdown\n attributes:\n label: Would you like to work on this feature?\n description: We are more than happy to help you through the process.\n options:\n - \"yes\"\n - \"no\"\n - \"maybe\"\n" }, { "path": ".github/PULL_REQUEST_TEMPLATE.md", "content": "\n" }, { "path": ".github/actions/cli-setup/action.yaml", "content": "\nname: CLI Setup\ndescription: Fetches the Linkerd CLI from an artifact and installs it into the target.\n\ninputs:\n artifact-id:\n description: The ID of the artifact to download.\n required: true\n target:\n description: The path to install the CLI into.\n required: true\n\nruns:\n using: composite\n steps:\n - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c\n with:\n artifact-ids: ${{ inputs.artifact-id }}\n path: ${{ runner.temp }}/cli\n - run: mv ${{ runner.temp }}/cli/linkerd2-cli-*-linux-amd64 ${{ inputs.target }} && chmod 755 ${{ inputs.target }}\n shell: bash\n" }, { "path": ".github/actions/docker-build/action.yml", "content": "name: Docker Build\ndescription: Builds linkerd's docker images\n\ninputs:\n docker-registry:\n description: The docker registry used to tag the images\n required: false\n default: cr.l5d.io/linkerd\n docker-target:\n description: The OS-arch the docker build will be targeted to\n required: false\n default: linux-amd64\n docker-push:\n description: Whether to push the built images to the registry\n required: false\n default: ''\n component:\n description: Component to build\n required: true\n tag:\n description: Tag to use for the built image\n required: true\n\nruns:\n using: composite\n steps:\n # populate ACTIONS_CACHE_URL and ACTIONS_RUNTIME_TOKEN\n - uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487\n - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a\n - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd\n with:\n driver-opts: network=host\n - env:\n DOCKER_REGISTRY: ${{ inputs.docker-registry }}\n DOCKER_TARGET: ${{ inputs.docker-target }}\n DOCKER_PUSH: ${{ inputs.docker-push }}\n TAG: ${{ inputs.tag }}\n RUNTIME_IMAGE: localhost:5000/linkerd/proxy-runtime:${{ inputs.tag }}\n PUSH_RUNTIME_IMAGE: true\n shell: bash\n run: bin/docker-build-${{ inputs.component }}\n\n - name: Output Image Digest\n shell: bash\n id: image_digest\n run: |\n image_digest=$(cat target/metadata-${{ inputs.component }}.json | jq -r '.\"containerimage.digest\"')\n echo \"${image_digest}\"\n echo \"DIGEST=${{ inputs.docker-registry }}/${{ inputs.component }}@${image_digest}\" >> \"$GITHUB_OUTPUT\"\n\noutputs:\n image:\n description: The image that was built\n value: ${{ inputs.docker-registry }}/${{ inputs.component }}:${{ inputs.tag }}\n digest:\n description: The image digest\n value: ${{ steps.image_digest.outputs.DIGEST }}\n" }, { "path": ".github/actions/helm-publish/action.yml", "content": "name: Helm publish\ndescription: Helm chart creation and uploading\nruns:\n using: composite\n steps:\n - name: Set up Cloud SDK\n uses: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db'\n - uses: linkerd/dev/actions/setup-tools@v48\n - shell: bash\n run: |\n mkdir -p target/helm\n gsutil cp gs://helm.linkerd.io/edge/index.yaml target/helm/index-pre.yaml\n bin/compute-edge-version update-charts\n helm-docs\n bin/helm-build package\n cp charts/artifacthub-repo-edge.yml target/helm/artifacthub-repo.yml\n gsutil rsync target/helm gs://helm.linkerd.io/edge\n" }, { "path": ".github/dco.yml", "content": "require:\n members: false\n" }, { "path": ".github/dependabot.yml", "content": "# Dependabot are scheduled to avoid contention with normal workday CI usage. We\n# start running updates at 3AM UTC (7PM PST, 8AM IST) and stagger each\n# subsequent update by 30m.\n#\n# JS updates are run weekly.\nversion: 2\nupdates:\n - package-ecosystem: gomod\n directory: \"/\"\n schedule:\n interval: daily\n time: \"03:00\"\n timezone: Etc/UTC\n ignore:\n # TODO(ver): Remove this once we update our Gateway API dependencies.\n - dependency-name: sigs.k8s.io/gateway-api\n update-types: [version-update:semver-major, version-update:semver-minor]\n groups:\n kube:\n patterns:\n - k8s.io/*\n\n - package-ecosystem: cargo\n directory: \"/\"\n schedule:\n interval: daily\n time: \"03:30\"\n timezone: Etc/UTC\n allow:\n - dependency-type: all\n ignore:\n # These dependencies are for platforms that we don't support:\n - dependency-name: redox*\n - dependency-name: js-sys\n - dependency-name: wasm-bindgen\n - dependency-name: web-sys\n # These dependencies are updated via kubert, so only accept patch updates.\n - dependency-name: clap\n update-types: [version-update:semver-major, version-update:semver-minor]\n - dependency-name: clap_*\n update-types: [version-update:semver-major, version-update:semver-minor]\n - dependency-name: kube\n update-types: [version-update:semver-major, version-update:semver-minor]\n - dependency-name: kube-*\n update-types: [version-update:semver-major, version-update:semver-minor]\n - dependency-name: k8s-openapi\n update-types: [version-update:semver-major, version-update:semver-minor]\n # These dependencies are updated via linkerd2-proxy-api, so only accept patch updates.\n - dependency-name: prost\n update-types: [version-update:semver-major, version-update:semver-minor]\n - dependency-name: prost-*\n update-types: [version-update:semver-major, version-update:semver-minor]\n - dependency-name: tonic\n update-types: [version-update:semver-major, version-update:semver-minor]\n groups:\n clap:\n patterns:\n - clap\n - clap_*\n update-types: [minor, patch]\n futures:\n patterns:\n - futures\n - futures-*\n kube-patch:\n patterns:\n - k8s-openapi\n - kube\n - kube-*\n - gateway-api\n update-types: [patch]\n kube:\n patterns:\n - kubert\n - kubert-*\n - k8s-openapi\n - kube\n - kube-*\n - gateway-api\n update-types: [major, minor]\n grpc:\n patterns:\n - prost\n - prost-*\n - tonic\n update-types: [patch]\n tracing:\n patterns:\n - tracing\n - tracing-*\n serde:\n patterns:\n - serde\n - serde_*\n pest:\n patterns:\n - pest\n - pest_*\n\n - package-ecosystem: \"github-actions\"\n directories:\n - \"/\"\n - \".github/actions/*\"\n schedule:\n interval: \"daily\"\n time: \"04:00\"\n timezone: Etc/UTC\n\n - package-ecosystem: \"npm\"\n directory: \"/web/app\"\n schedule:\n # JS dependencies tend to be pretty noisy, so only check once per week.\n interval: \"weekly\"\n day: \"sunday\"\n ignore:\n # v6 is backwards-incompatible and requires lots of changes.\n # A compatibility layer should come out at some point\n # see https://reactrouter.com/docs/en/v6/upgrading/v5\n - dependency-name: \"react-router-dom\"\n update-types: [\"version-update:semver-major\"]\n" }, { "path": ".github/stale.yml", "content": "# Number of days of inactivity before an issue becomes stale\ndaysUntilStale: 90\n# Number of days of inactivity before a stale issue is closed\ndaysUntilClose: 14\n# Issues with these labels will never be considered stale\nexemptLabels:\n - pinned \n - area/security\n - area/tls\n - area/docs\n - area/test\n - good first issue\n - benchmarking\n - help wanted\n - epic\n - rfc\n - roadmap \n# Label to use when marking an issue as stale\nstaleLabel: wontfix\n# Comment to post when marking an issue as stale. Set to `false` to disable\nmarkComment: >\n This issue has been automatically marked as stale because it has not had\n recent activity. It will be closed in 14 days if no further activity occurs. Thank you\n for your contributions.\n# Comment to post when closing a stale issue. Set to `false` to disable\ncloseComment: false\n" }, { "path": ".github/workflows/actions.yml", "content": "name: Actions\n\non:\n pull_request:\n paths:\n - .devcontainer/devcontainer.json\n - .github/workflows/**\n\npermissions:\n contents: read\n\njobs:\n actionlint:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 10\n steps:\n - uses: linkerd/dev/actions/setup-tools@v48\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: just-dev lint-actions\n\n devcontainer-versions:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - uses: linkerd/dev/actions/setup-tools@v48\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: just-dev check-action-images\n" }, { "path": ".github/workflows/cli-build.yml", "content": "on:\n workflow_call:\n inputs:\n version:\n type: string\n required: true\n target:\n type: string\n required: false\n default: 'multi-arch'\n outputs:\n artifact-id:\n value: ${{ jobs.build.outputs.artifact-id }}\n\njobs:\n build:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 20\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd\n - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294\n id: build\n with:\n build-args: |\n LINKERD_VERSION=${{ inputs.version }}\n target: ${{ inputs.target }}\n context: .\n file: cli/Dockerfile\n cache-from: type=gha,scope=${{ github.ref_name }}-cli\n cache-to: type=gha,mode=max,scope=${{ github.ref_name }}-cli\n push: false\n load: false\n outputs: type=local,dest=.\n - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f\n id: upload\n with:\n name: cli-bin-${{ inputs.version }}-${{ inputs.target }}\n path: linkerd2-cli-${{ inputs.version }}-*\n outputs:\n artifact-id: ${{ steps.upload.outputs.artifact-id }}\n" }, { "path": ".github/workflows/codecov.yml", "content": "name: Coverage\n\n# Run weekly on Sunday at midnight (UTC).\non:\n schedule:\n - cron: \"0 0 * * 0\"\n\npermissions:\n contents: read\n\njobs:\n go:\n name: Go\n timeout-minutes: 30\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container:\n image: golang:1.25\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: go install gotest.tools/gotestsum@v0.4.2\n - run: gotestsum -- -cover -coverprofile=coverage.out -v -mod=readonly ./...\n - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad\n with:\n files: ./coverage.out\n flags: unittests,golang\n\n js:\n name: JS\n timeout-minutes: 30\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container:\n image: node:20-stretch\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - name: Yarn setup\n shell: bash\n run: bin/scurl -o- https://yarnpkg.com/install.sh | bash -s -- --version 1.21.1 --network-concurrency 1\n - name: Unit tests\n run: |\n export PATH=\"$HOME/.yarn/bin:$PATH\"\n export NODE_ENV=test\n bin/web --frozen-lockfile\n bin/web test --reporters=\"jest-progress-bar-reporter\" --reporters=\"./gh_ann_reporter.js\" --coverage\n - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad\n with:\n directory: ./web/app/coverage\n flags: unittests,javascript\n\n rust:\n name: Rust\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 15\n container:\n image: docker://rust:1.90.0\n options: --security-opt seccomp=unconfined\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - shell: bash\n run: mkdir -p target && cd target && bin/scurl -v https://github.com/xd009642/tarpaulin/releases/download/0.27.3/cargo-tarpaulin-x86_64-unknown-linux-musl.tar.gz | tar zxvf - && chmod 755 cargo-tarpaulin\n - run: target/cargo-tarpaulin tarpaulin --workspace --out Xml\n - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad\n with:\n flags: unittests,rust\n" }, { "path": ".github/workflows/codeql.yml", "content": "# See https://github.com/github/codeql-action/tree/v1 for more information.\n\nname: CodeQL\n\non:\n push:\n branches: [main, stable-*]\n paths:\n - .github/workflows/codeql.yml\n - \"**/*.go\"\n - \"**/*.js\"\n - \"**/*.jsx\"\n pull_request:\n # The branches below must be a subset of the branches above\n branches: [main, stable-*]\n paths:\n - .github/workflows/codeql.yml\n - \"**/*.go\"\n - \"**/*.js\"\n - \"**/*.jsx\"\n\njobs:\n analyze:\n name: Analyze\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n permissions:\n actions: read\n contents: read\n security-events: write\n\n strategy:\n fail-fast: false\n matrix:\n language:\n - go\n - javascript\n\n steps:\n - name: Checkout\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417\n with:\n go-version-file: go.mod\n\n - name: Initialize\n # Unpinned action version so that we automatically get analyzer updates.\n uses: github/codeql-action/init@v4\n with:\n languages: ${{ matrix.language }}\n\n - name: Analyze\n uses: github/codeql-action/analyze@v4\n" }, { "path": ".github/workflows/devcontainer.yml", "content": "name: Devcontainer\n\n# When a pull request is opened that changes the Devcontainer configuration,\n# ensure that the container continues to build properly.\non:\n pull_request:\n paths:\n - .devcontainer/devcontainer.json\n - .github/workflows/devcontainer.yml\n - rust-toolchain\n\npermissions:\n contents: read\n\njobs:\n rust-version:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container: ghcr.io/linkerd/dev:v48-rust\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - shell: bash\n run: |\n # Extract current Rust version from the toolchain file.\n version_regex='channel = \"([0-9]+\\.[0-9]+\\.[0-9]+)\"'\n toolchain=$(cat rust-toolchain.toml)\n if [[ $toolchain =~ $version_regex ]]; then\n tc=${BASH_REMATCH[1]}\n else\n echo \"::error file=rust-toolchain.toml::failed to parse rust-toolchain.toml\"\n exit 1\n fi\n\n dev=$(cargo version | cut -d' ' -f2)\n if [ \"$dev\" != \"$tc\" ]; then\n echo \"::error file=rust-toolchain.toml,line=2::rust-toolchain ($tc) does not match devcontainer ($dev)\"\n exit 1\n fi\n\n devcontainer-image:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - uses: linkerd/dev/actions/setup-tools@v48\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: just-dev pull-dev-image\n" }, { "path": ".github/workflows/go.yml", "content": "name: Go\non: pull_request\n\npermissions:\n contents: read\n\njobs:\n meta:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323\n id: changed\n with:\n files: |\n .github/workflows/go.yml\n go.sum\n **/*.go\n **/*.golden\n **/charts/**\n files_ignore: |\n **/Chart.yaml\n **/README*\n outputs:\n changed: ${{ steps.changed.outputs.any_changed }}\n\n go-lint:\n needs: meta\n if: needs.meta.outputs.changed == 'true'\n timeout-minutes: 10\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container: ghcr.io/linkerd/dev:v48-go\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417\n with:\n go-version-file: go.mod\n - run: git config --global --add safe.directory \"$PWD\" # actions/runner#2033\n - run: just go-lint --verbose --timeout=10m\n\n go-format:\n needs: meta\n if: needs.meta.outputs.changed == 'true'\n timeout-minutes: 10\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container: ghcr.io/linkerd/dev:v48-go\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417\n with:\n go-version-file: go.mod\n - run: git config --global --add safe.directory \"$PWD\" # actions/runner#2033\n - run: just go-fmt\n\n go-test:\n needs: meta\n if: needs.meta.outputs.changed == 'true'\n timeout-minutes: 30\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container: ghcr.io/linkerd/dev:v48-go\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417\n with:\n go-version-file: go.mod\n - run: git config --global --add safe.directory \"$PWD\" # actions/runner#2033\n - run: just go-fetch\n - run: just go-test\n\n # There's currently one flakey test we want to retry in particular:\n # TestEndpointProfileTranslator/Handles_overflow\n go-test-retry:\n needs: go-test\n if: failure() && fromJSON(github.run_attempt) < 3\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n permissions:\n actions: write\n env:\n GH_REPO: ${{ github.repository }}\n GH_TOKEN: ${{ github.token }}\n GH_DEBUG: api\n REF: ${{ github.head_ref }}\n steps:\n - run: gh workflow run rerun.yml -F 'run_id=${{ github.run_id }}' --ref \"$REF\"\n\n go-ok:\n needs: [go-lint, go-format, go-test]\n if: always()\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - name: Results\n run: |\n echo 'go-lint: ${{ needs.go-lint.result }}'\n echo 'go-format: ${{ needs.go-format.result }}'\n echo 'go-test: ${{ needs.go-test.result }}'\n\n - name: Verify jobs\n # All jobs must succeed or be skipped.\n if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')\n run: exit 1\n" }, { "path": ".github/workflows/integration.yml", "content": "name: Integration tests\n\non: pull_request\n\npermissions:\n contents: read\n\nenv:\n CARGO_INCREMENTAL: 0\n CARGO_NET_RETRY: 10\n CARGO_NEXTEST_VERSION: 0.9.100\n DOCKER_REGISTRY: ghcr.io/linkerd\n GH_ANNOTATION: true\n K3D_VERSION: v5.8.3\n RUST_BACKTRACE: short\n RUSTUP_MAX_RETRIES: 10\n YQ_VERSION: v4.44.5\n LINKERD2_PROXY_REPO: ${{ vars.LINKERD2_PROXY_REPO || 'linkerd/linkerd2-proxy' }}\n LINKERD2_PROXY_RELEASE_PREFIX: ${{ vars.LINKERD2_PROXY_RELEASE_PREFIX || 'release/' }}\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.head_ref }}\n cancel-in-progress: true\n\njobs:\n meta:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - id: tag\n run: echo \"tag=$(CI_FORCE_CLEAN=1 bin/root-tag)\" >> \"$GITHUB_OUTPUT\"\n - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323\n id: core\n with:\n files: |\n .github/workflows/integration.yml\n .proxy-version\n go.sum\n **/*.go\n **/*.rs\n **/Dockerfile*\n charts/**\n multicluster/charts/**\n justfile\n bin/fetch-proxy\n bin/_test-helper.sh\n files_ignore: |\n .devcontainer/**\n **/Chart.yaml\n **/README*\n outputs:\n tag: ${{ steps.tag.outputs.tag }}\n changed: ${{ steps.core.outputs.any_changed }}\n\n info:\n needs: meta\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 2\n steps:\n - name: Info\n run: |\n echo \"tag=${{ needs.meta.outputs.tag }}\"\n echo \"changed=${{ needs.meta.outputs.changed }}\"\n\n build-cli:\n needs: meta\n if: needs.meta.outputs.changed == 'true'\n uses: ./.github/workflows/cli-build.yml\n with:\n version: ${{ needs.meta.outputs.tag }}\n target: linux-amd64\n\n ##\n ## Core: Test the core control plane\n ##\n ## TODO(ver) CNI configurations should be tested separately.\n ##\n\n build-core:\n needs: meta\n if: needs.meta.outputs.changed == 'true'\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n services:\n registry:\n image: registry:3\n ports:\n - 5000:5000\n strategy:\n matrix:\n component:\n - controller\n - proxy\n timeout-minutes: 20\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: ./.github/actions/docker-build\n id: build\n env:\n LINKERD2_PROXY_GITHUB_TOKEN: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN || github.token }}\n with:\n docker-registry: ${{ env.DOCKER_REGISTRY }}\n docker-target: linux-amd64\n component: ${{ matrix.component }}\n tag: ${{ needs.meta.outputs.tag }}\n - name: Run docker save\n run: |\n mkdir -p /home/runner/archives\n docker save '${{ steps.build.outputs.image }}' >'/home/runner/archives/${{ matrix.component }}.tar'\n - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f\n with:\n name: image-archives-${{ matrix.component }}\n path: /home/runner/archives\n\n test-core:\n needs: [meta, build-cli, build-core]\n if: needs.meta.outputs.changed == 'true'\n strategy:\n fail-fast: false\n matrix:\n test:\n - cni-calico-deep\n - deep\n - deep-native-sidecar\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 15\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417\n with:\n go-version-file: go.mod\n - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c\n with:\n pattern: image-archives-*\n path: image-archives\n merge-multiple: true\n - run: find image-archives -ls\n - uses: ./.github/actions/cli-setup\n with:\n artifact-id: ${{ needs.build-cli.outputs.artifact-id }}\n target: ${{ runner.temp }}/linkerd\n - run: bin/tests --images archive --cleanup-docker --name ${{ matrix.test }} ${{ runner.temp }}/linkerd\n env:\n LINKERD_DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}\n TAG: ${{ needs.meta.outputs.tag }}\n\n ##\n ## Policy: Only run policy tests when the policy controller or proxy changes\n ##\n\n test-policy:\n needs: [meta, build-cli, build-core]\n if: needs.meta.outputs.changed == 'true'\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 20\n strategy:\n fail-fast: false\n matrix:\n # Test the latest Kubernetes version with the latest Gateway API\n # version, as well as the vendored Gateway API CRDs.\n k8s:\n - v1.34\n gateway-api:\n - version: linkerd\n channel: experimental\n - version: v1.4.0\n channel: experimental\n # Also test the Minimum Supported Kubernetes Version with the Minimum\n # Supported Gateway API version.\n include:\n - k8s: v1.23\n gateway-api:\n version: v1.1.1\n channel: standard\n env:\n GATEWAY_API_VERSION: ${{ matrix.gateway-api.version }}\n GATEWAY_API_CHANNEL: ${{ matrix.gateway-api.channel }}\n steps:\n - uses: extractions/setup-just@f8a3cce218d9f83db3a2ecd90e41ac3de6cdfd9b\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n - uses: olix0r/cargo-action-fmt/setup@9269f3aa1ff01775d95efc97037e2cbdb41d9684\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c\n with:\n pattern: image-archives-*\n path: image-archives\n merge-multiple: true\n - run: find image-archives -ls\n - uses: ./.github/actions/cli-setup\n with:\n artifact-id: ${{ needs.build-cli.outputs.artifact-id }}\n target: ${{ runner.temp }}/linkerd\n - name: Setup deps\n shell: bash\n run: |\n rm -rf \"$HOME/.cargo\"\n bin/scurl -v https://sh.rustup.rs | sh -s -- -y --default-toolchain \"$(./bin/rust-toolchain-version)\"\n # shellcheck disable=SC1090\n source ~/.cargo/env\n echo \"PATH=$PATH\" >> \"$GITHUB_ENV\"\n bin/scurl -v \"https://raw.githubusercontent.com/k3d-io/k3d/${K3D_VERSION}/install.sh\" | bash\n bin/scurl -vo /usr/local/bin/yq \"https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64\" && chmod +x /usr/local/bin/yq\n bin/scurl -v \"https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-${CARGO_NEXTEST_VERSION}/cargo-nextest-${CARGO_NEXTEST_VERSION}-x86_64-unknown-linux-musl.tar.gz\" -o nextest.tar.gz\n tar -xzf nextest.tar.gz\n mv cargo-nextest ~/.cargo/bin/\n chmod +x ~/.cargo/bin/cargo-nextest\n - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4\n - run: just policy-test-build\n - run: just k3d-k8s='${{ matrix.k8s }}' k3d-create\n - run: docker load '/home/runner/archives/${{ matrix.component }}.tar'\n - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f\n with:\n name: image-archives-${{ matrix.component }}\n path: /home/runner/archives\n\n # These tests exercise core functionality, but need the viz extension.\n test-ext:\n needs: [meta, build-cli, build-core, build-ext]\n if: needs.meta.outputs.changed == 'true'\n strategy:\n fail-fast: false\n matrix:\n integration_test:\n - cluster-domain\n - default-policy-deny\n - external\n - rsa-ca\n - tracing\n - helm-upgrade\n - uninstall\n - upgrade-edge\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 15\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417\n with:\n go-version-file: go.mod\n - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c\n with:\n pattern: image-archives-*\n path: image-archives\n merge-multiple: true\n - run: find image-archives -ls\n - uses: ./.github/actions/cli-setup\n with:\n artifact-id: ${{ needs.build-cli.outputs.artifact-id }}\n target: ${{ runner.temp }}/linkerd\n - run: bin/tests --images archive --cleanup-docker --name '${{ matrix.integration_test }}' ${{ runner.temp }}/linkerd\n env:\n LINKERD_DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}\n\n ##\n ## Viz: Run the (flakey) `viz` suite only when the `viz` extension is updated.\n ##\n\n test-viz:\n needs: [meta, build-cli, build-core, build-ext]\n if: needs.meta.outputs.changed == 'true'\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 30\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417\n with:\n go-version-file: go.mod\n - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c\n with:\n pattern: image-archives-*\n path: image-archives\n merge-multiple: true\n - uses: ./.github/actions/cli-setup\n with:\n artifact-id: ${{ needs.build-cli.outputs.artifact-id }}\n target: ${{ runner.temp }}/linkerd\n - run: bin/tests --images archive --cleanup-docker --name viz ${{ runner.temp }}/linkerd\n env:\n LINKERD_DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}\n\n ##\n ## Multicluster: Run 'multicluster' suite only when the 'multicluster' extension is updated.\n ## Tests are run on min and max k8s versions\n ##\n\n test-multicluster:\n needs: [meta, build-cli, build-core, build-ext]\n if: needs.meta.outputs.changed == 'true'\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 30\n strategy:\n fail-fast: false\n matrix:\n cases:\n - {k8s: \"v1.23\", manage-controllers: false, install-gwapi: true}\n # for v1.34 onwards, gwapi gets installed by Traefik on the target cluster\n - {k8s: \"v1.34\", manage-controllers: false, install-gwapi: false}\n - {k8s: \"v1.34\", manage-controllers: true, install-gwapi: false}\n name: \"test-multicluster(${{ matrix.cases.k8s }}, ${{ matrix.cases.manage-controllers && 'managed-controllers' || 'unmanaged-controllers' }})\"\n steps:\n - uses: extractions/setup-just@f8a3cce218d9f83db3a2ecd90e41ac3de6cdfd9b\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417\n with:\n go-version-file: go.mod\n - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c\n with:\n pattern: image-archives-*\n path: image-archives\n merge-multiple: true\n - run: find image-archives -ls\n - uses: ./.github/actions/cli-setup\n with:\n artifact-id: ${{ needs.build-cli.outputs.artifact-id }}\n target: ${{ runner.temp }}/linkerd\n - name: Setup deps\n shell: bash\n run: |\n echo \"PATH=$PATH\" >> \"$GITHUB_ENV\"\n bin/scurl -v \"https://raw.githubusercontent.com/k3d-io/k3d/${K3D_VERSION}/install.sh\" | bash\n - name: Load docker images\n run: |\n for img in controller proxy; do\n docker load <\"image-archives/${img}.tar\"\n done\n - run: docker image ls\n - run: just mc-test-build\n - name: Run just mc-load\n run: |\n just linkerd-tag='${{ needs.meta.outputs.tag }}' \\\n k3d-k8s='${{ matrix.cases.k8s }}' \\\n mc-load\n - run: just mc-install-gwapi\n - name: Run just mc-target-load\n run: |\n just linkerd-tag='${{ needs.meta.outputs.tag }}' \\\n k3d-k8s='${{ matrix.cases.k8s }}' \\\n mc-target-load\n - name: Run just mc-install-gwapi\n if: ${{ matrix.cases.install-gwapi }}\n run: just k3d-name='l5d-test-target' mc-install-gwapi\n - run: just mc-flat-network-init\n - name: Run just mc-test-run\n run: |\n just linkerd-tag='${{ needs.meta.outputs.tag }}' \\\n k3d-k8s='${{ matrix.cases.k8s }}' \\\n mc-test-run -multicluster-manage-controllers=${{ matrix.cases.manage-controllers }}\n\n build-ok:\n needs: [build-cli, build-core, build-ext]\n if: always()\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - name: Results\n run: |\n echo 'needs.build-cli.result: ${{ needs.build-cli.result }}'\n echo 'needs.build-core.result: ${{ needs.build-core.result }}'\n echo 'needs.build-ext.result: ${{ needs.build-ext.result }}'\n - name: Verify jobs\n # All jobs must succeed or be skipped.\n if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')\n run: exit 1\n\n # Try to re-run the integration tests if they fail, but only up to 3 times.\n integrations-retry:\n needs:\n [build-ok, test-core, test-policy, test-ext, test-viz, test-multicluster]\n if: failure() && fromJSON(github.run_attempt) < 3 && needs.build-ok.result == 'success'\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n permissions:\n actions: write\n env:\n GH_REPO: ${{ github.repository }}\n GH_TOKEN: ${{ github.token }}\n GH_DEBUG: api\n REF: ${{ github.head_ref }}\n steps:\n - run: gh workflow run rerun.yml -F 'run_id=${{ github.run_id }}' --ref \"$REF\"\n\n integrations-ok:\n needs:\n [build-ok, test-core, test-policy, test-ext, test-viz, test-multicluster]\n if: always()\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - name: Results\n run: |\n echo 'needs.build-ok.result: ${{ needs.build-ok.result }}'\n echo 'needs.test-core.result: ${{ needs.test-core.result }}'\n echo 'needs.test-policy.result: ${{ needs.test-policy.result }}'\n echo 'needs.test-ext.result: ${{ needs.test-ext.result }}'\n echo 'needs.test-viz.result: ${{ needs.test-viz.result }}'\n echo 'needs.test-multicluster.result: ${{ needs.test-multicluster.result }}'\n - name: Verify jobs\n # All jobs must succeed or be skipped.\n if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')\n run: exit 1\n" }, { "path": ".github/workflows/js.yml", "content": "name: JS\n\non:\n pull_request:\n paths:\n - .github/workflows/js.yml\n - bin/web*\n - web/app/**\n\npermissions:\n contents: read\n\njobs:\n js-web-test:\n timeout-minutes: 30\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container:\n image: node:20-bookworm\n env:\n NODE_ENV: test\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - name: Yarn setup\n shell: bash\n run: |\n bin/scurl --retry 2 https://yarnpkg.com/install.sh | bash -s -- --version 1.21.1 --network-concurrency 1\n echo PATH=\"$HOME/.yarn/bin:$PATH\" >> \"$GITHUB_ENV\"\n - run: bin/web --frozen-lockfile\n - run: bin/web test --reporters=\"jest-progress-bar-reporter\" --reporters=\"./gh_ann_reporter.js\"\n" }, { "path": ".github/workflows/lock.yml", "content": "name: \"Lock Threads\"\n\non:\n schedule:\n - cron: \"0 1 * * *\"\n\npermissions:\n issues: write\n\njobs:\n action:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7\n with:\n issue-inactive-days: \"30\"\n process-only: \"issues\"\n" }, { "path": ".github/workflows/markdown.yml", "content": "name: markdown\n\npermissions:\n contents: read\n\non:\n pull_request:\n paths:\n - .github/workflows/markdown.yml\n - \"**/*.md\"\n\njobs:\n markdownlint:\n timeout-minutes: 5\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101\n with:\n globs: |\n **/*.md\n !**/node_modules/**\n !target/**\n" }, { "path": ".github/workflows/proto.yml", "content": "name: Proto\n\non:\n pull_request:\n paths:\n - .github/workflows/proto.yml\n - bin/protoc*\n - \"**/*.proto\"\n - \"**/gen/**/*.go\"\n\npermissions:\n contents: read\n\njobs:\n proto-diff:\n timeout-minutes: 10\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container: ghcr.io/linkerd/dev:v48-go\n steps:\n - run: apt update && apt install -y unzip\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: git config --global --add safe.directory \"$PWD\" # actions/runner#2033\n - run: bin/protoc-go.sh\n - run: git diff --exit-code\n" }, { "path": ".github/workflows/release.yml", "content": "name: Release\n\non:\n push:\n tags:\n - \"edge-*\"\n\npermissions:\n contents: read\n\nenv:\n GH_ANNOTATION: true\n DOCKER_REGISTRY: ghcr.io/linkerd\n K3D_VERSION: v5.8.3\n LINKERD2_PROXY_REPO: ${{ vars.LINKERD2_PROXY_REPO }}\n\njobs:\n # TODO(ver) We should stop relying so heavily on the environment,\n # especially the TAG variable. And it would be great to stop relying\n # on the root-tag script altogether.\n tag:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: echo \"tag=$(CI_FORCE_CLEAN=1 bin/root-tag)\" >> \"$GITHUB_OUTPUT\"\n id: tag\n - name: Validate edge version\n run: bin/compute-edge-version\n outputs:\n tag: ${{ steps.tag.outputs.tag }}\n\n docker_build:\n name: Docker build\n needs: [tag]\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n permissions:\n contents: read\n packages: write # for docker/login-action\n id-token: write # for cosign\n services:\n registry:\n image: registry:3\n ports:\n - 5000:5000\n strategy:\n matrix:\n component:\n - controller\n - debug\n - metrics-api\n - proxy\n - tap\n - web\n timeout-minutes: 45\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - name: Set tag\n run: echo 'TAG=${{ needs.tag.outputs.tag }}' >> \"$GITHUB_ENV\"\n - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2\n with:\n registry: ghcr.io\n username: ${{ secrets.DOCKER_GHCR_USERNAME }}\n password: ${{ secrets.DOCKER_GHCR_PAT }}\n - uses: ./.github/actions/docker-build\n id: build\n with:\n docker-registry: ${{ env.DOCKER_REGISTRY }}\n docker-target: multi-arch\n docker-push: 1\n component: ${{ matrix.component }}\n tag: ${{ needs.tag.outputs.tag }}\n env:\n LINKERD2_PROXY_GITHUB_TOKEN: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN }}\n - uses: sigstore/cosign-installer@v3\n - run: cosign sign '${{ steps.build.outputs.digest }}'\n env:\n COSIGN_YES: true\n\n cli:\n needs: tag\n uses: ./.github/workflows/cli-build.yml\n with:\n version: ${{ needs.tag.outputs.tag }}\n\n integration_tests:\n name: Integration tests\n needs: [tag, cli, docker_build]\n strategy:\n matrix:\n integration_test:\n - cluster-domain\n - cni-calico-deep\n - deep\n - viz\n - tracing\n - default-policy-deny\n - external\n - rsa-ca\n - helm-upgrade\n - uninstall\n - upgrade-edge\n timeout-minutes: 60\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - name: Checkout code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417\n with:\n go-version-file: go.mod\n - uses: ./.github/actions/cli-setup\n with:\n artifact-id: ${{ needs.cli.outputs.artifact-id }}\n target: ${{ runner.temp }}/linkerd\n - run: echo TAG=\"${{ needs.tag.outputs.tag }}\" >> \"$GITHUB_ENV\"\n - name: Validate the CLI version matches the current build tag.\n run: |\n [[ \"$TAG\" == \"$(${{ runner.temp }}/linkerd version --short --client)\" ]]\n - run: bin/tests --images preload --name ${{ matrix.integration_test }} \"${{ runner.temp }}/linkerd\"\n env:\n LINKERD_DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}\n\n gh_release:\n name: Create GH release\n needs:\n - tag\n - cli\n - integration_tests\n timeout-minutes: 30\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n permissions:\n contents: write\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c\n with:\n artifact-ids: ${{ needs.cli.outputs.artifact-id }}\n path: cli\n - name: Create release\n id: create_release\n uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe\n with:\n name: \"${{ needs.tag.outputs.tag }}\"\n generate_release_notes: true\n draft: false\n prerelease: false\n files: |\n ./cli/linkerd2-cli-*\n\n website_publish:\n name: Linkerd website publish\n needs: [chart_deploy]\n if: startsWith(github.ref, 'refs/tags/stable') || startsWith(github.ref, 'refs/tags/edge')\n timeout-minutes: 30\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n permissions:\n contents: write\n steps:\n - name: Create linkerd/website repository dispatch event\n uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697\n with:\n token: ${{ secrets.RELEASE_TOKEN }}\n repository: linkerd/website\n event-type: release\n\n website_publish_check:\n name: Linkerd website publish check\n needs: [tag, website_publish]\n timeout-minutes: 30\n if: startsWith(github.ref, 'refs/tags/stable') || startsWith(github.ref, 'refs/tags/edge')\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - name: Set install target for stable\n if: startsWith(github.ref, 'refs/tags/stable')\n run: echo \"INSTALL=install\" >> \"$GITHUB_ENV\"\n - name: Set install target for edge\n if: startsWith(github.ref, 'refs/tags/edge')\n run: echo \"INSTALL=install-edge\" >> \"$GITHUB_ENV\"\n - name: Check published version\n shell: bash\n run: |\n TAG='${{ needs.tag.outputs.tag }}'\n until RES=$(bin/scurl \"https://run.linkerd.io/$INSTALL\" | grep \"LINKERD2_VERSION=\\${LINKERD2_VERSION:-$TAG}\") \\\n || (( count++ >= 10 ))\n do\n sleep 30\n done\n if [[ -z \"$RES\" ]]; then\n echo \"::error::The version '$TAG' was NOT found published in the website\"\n exit 1\n fi\n\n chart_deploy:\n name: Helm chart deploy\n needs: [gh_release]\n timeout-minutes: 30\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - name: Checkout code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - name: Log into GCP\n uses: \"google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093\"\n with:\n credentials_json: ${{ secrets.LINKERD_SITE_TOKEN }}\n - name: Edge Helm chart creation and upload\n uses: ./.github/actions/helm-publish\n" }, { "path": ".github/workflows/rerun.yml", "content": "# This can be invoked from any other workflow to re-run itself on failure.\n# From https://github.com/orgs/community/discussions/67654#discussioncomment-8038649\nname: Re-run failed workflow\n\non:\n workflow_dispatch:\n inputs:\n run_id:\n description: \"The ID of the run to rerun\"\n required: true\n\nconcurrency:\n group: ${{ github.workflow }}-${{ inputs.run_id }}\n cancel-in-progress: true\n\njobs:\n rerun:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 5\n permissions:\n actions: write\n env:\n GH_REPO: ${{ github.repository }}\n GH_TOKEN: ${{ github.token }}\n GH_DEBUG: api\n steps:\n - run: gh run watch ${{ inputs.run_id }}\n - run: gh run rerun ${{ inputs.run_id }} --failed\n" }, { "path": ".github/workflows/rust.yml", "content": "name: Rust\n\non:\n pull_request:\n paths:\n - .github/workflows/rust.yml\n - Cargo.lock\n - \"**/Cargo.toml\"\n - justfile\n - deny.toml\n - \"**/*.rs\"\n - policy-*/Dockerfile\n - rust-toolchain.toml\n - bin/rust-toolchain-version\n\npermissions:\n contents: read\n\nenv:\n CARGO_INCREMENTAL: 0\n CARGO_NET_RETRY: 10\n PROTOC_NO_VENDOR: 1\n RUST_BACKTRACE: short\n RUSTUP_MAX_RETRIES: 10\n\njobs:\n audit:\n timeout-minutes: 10\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container: ghcr.io/linkerd/dev:v48-rust\n strategy:\n matrix:\n checks:\n - advisories\n - bans licenses sources\n # Prevent sudden announcement of a new advisory from failing Ci.\n continue-on-error: ${{ matrix.checks == 'advisories' }}\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: git config --global --add safe.directory \"$PWD\" # actions/runner#2033\n - run: cargo deny --all-features check ${{ matrix.checks }}\n\n fmt:\n timeout-minutes: 5\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container: ghcr.io/linkerd/dev:v48-rust\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: git config --global --add safe.directory \"$PWD\" # actions/runner#2033\n - run: just rs-check-fmt\n\n clippy:\n timeout-minutes: 20\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container: ghcr.io/linkerd/dev:v48-rust\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: git config --global --add safe.directory \"$PWD\" # actions/runner#2033\n - run: just rs-fetch\n - run: just rs-clippy\n - run: just rs-doc --no-deps\n\n check:\n timeout-minutes: 20\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n container: ghcr.io/linkerd/dev:v48-rust\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: git config --global --add safe.directory \"$PWD\" # actions/runner#2033\n - run: just rs-fetch\n - run: just rs-check-dirs\n\n test:\n name: test\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 15\n container: ghcr.io/linkerd/dev:v48-rust\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: git config --global --add safe.directory \"$PWD\" # actions/runner#2033\n - run: just rs-fetch\n - run: just rs-test-build\n - run: just rs-test\n\n rust-toolchain:\n name: rust toolchain\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 2\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - shell: bash\n run: |\n toolchain_version=\"$(./bin/rust-toolchain-version)\"\n\n ex=0\n # Check this workflow against the version in rust-toolchain.\n versions=$(sed -nE 's|.*docker://(.*/)?rust:([^ #]+).*|\\2|p' .github/workflows/*)\n for mismatch in $(echo \"$versions\" | grep -vF \"$toolchain_version\" || true) ; do\n echo \"::error file=.github/workflows/rust.yml::Workflow uses incorrect rust version(s): $mismatch (expected '$toolchain_version)')\"\n ex=$((ex + 1))\n done\n\n exit $ex\n" }, { "path": ".github/workflows/shell.yml", "content": "name: Shell\n\non:\n pull_request:\n paths:\n - .github/workflows/shell.yml\n - \"**/*.sh\"\n\npermissions:\n contents: read\n\njobs:\n # For more information on shellcheck failures:\n # https://github.com/koalaman/shellcheck/wiki/Checks\n shellcheck:\n timeout-minutes: 10\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n steps:\n - uses: linkerd/dev/actions/setup-tools@v48\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n - run: just sh-lint\n" }, { "path": ".github/workflows/sync-proxy.yml", "content": "name: Sync proxy\n\non:\n workflow_dispatch:\n inputs:\n version:\n description: \"The version of the proxy to sync\"\n required: true\n default: \"latest\"\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.head_ref }}\n cancel-in-progress: true\n\njobs:\n meta:\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 5\n env:\n GH_REPO: ${{ vars.LINKERD2_PROXY_REPO || 'linkerd/linkerd2-proxy' }}\n GH_TOKEN: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN || github.token }}\n steps:\n - if: inputs.version == 'latest' || inputs.version == ''\n id: latest\n run: gh release view --json tagName,name,url | jq -r 'to_entries[] | (.key + \"=\" + .value)' >> \"$GITHUB_OUTPUT\"\n - name: steps.latest.outputs.tagName=${{ steps.latest.outputs.tagName }}\n run: \"true\"\n - name: steps.latest.outputs.name=${{ steps.latest.outputs.name }}\n run: \"true\"\n - name: steps.latest.outputs.url=${{ steps.latest.outputs.url }}\n run: \"true\"\n\n - if: inputs.version != 'latest' && inputs.version != ''\n id: known\n env:\n VERSION: ${{ inputs.version }}\n run: gh release view \"$VERSION\" --json tagName,name,url | jq -r 'to_entries[] | (.key + \"=\" + .value)' >> \"$GITHUB_OUTPUT\"\n - name: steps.known.outputs.tagName=${{ steps.known.outputs.tagName }}\n run: \"true\"\n - name: steps.known.outputs.name=${{ steps.known.outputs.name }}\n run: \"true\"\n - name: steps.known.outputs.url=${{ steps.known.outputs.url }}\n run: \"true\"\n\n - name: Verify tagName\n if: steps.latest.outputs.tagName == '' && steps.known.outputs.tagName == ''\n run: exit 1\n - name: Verify name\n if: steps.latest.outputs.name == '' && steps.known.outputs.name == ''\n run: exit 1\n - name: Verify url\n if: steps.latest.outputs.url == '' && steps.known.outputs.url == ''\n run: exit 1\n\n outputs:\n tagName: ${{ steps.latest.outputs.tagName || steps.known.outputs.tagName }}\n name: ${{ steps.latest.outputs.name || steps.known.outputs.name }}\n url: ${{ steps.latest.outputs.url || steps.known.outputs.url }}\n\n changed:\n needs: meta\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 5\n env:\n VERSION: ${{ needs.meta.outputs.name }}\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n with:\n token: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN || github.token }}\n - name: Check if proxy version has changed\n id: changed\n run: |\n if [ \"$(cat .proxy-version)\" != \"$VERSION\" ]; then\n echo changed=true >> \"$GITHUB_OUTPUT\"\n fi\n - name: steps.changed.outputs.changed=${{ steps.changed.outputs.changed == 'true' }}\n run: \"true\"\n outputs:\n changed: ${{ steps.changed.outputs.changed == 'true' }}\n\n sync-proxy:\n needs: [meta, changed]\n if: needs.changed.outputs.changed == 'true'\n runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}\n timeout-minutes: 5\n permissions:\n checks: read\n contents: write\n pull-requests: write\n env:\n VERSION: ${{ needs.meta.outputs.name }}\n URL: ${{ needs.meta.outputs.url }}\n steps:\n - name: Configure git\n env:\n GITHUB_USERNAME: ${{ vars.LINKERD2_PROXY_GITHUB_USERNAME || 'github-actions[bot]' }}\n run: |\n git config --global --add safe.directory \"$PWD\" # actions/runner#2033\n git config --global user.name \"$GITHUB_USERNAME\"\n git config --global user.email \"$GITHUB_USERNAME\"@users.noreply.github.com\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\n with:\n token: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN || github.token }}\n - name: Commit proxy version\n run: |\n set -eu\n git fetch origin bot/sync-proxy/\"$VERSION\" || true\n git switch -c bot/sync-proxy/\"$VERSION\"\n echo \"$VERSION\" > .proxy-version\n git add .proxy-version\n (\n echo \"proxy: $VERSION\"\n echo\n echo \"Release notes: $URL\"\n ) >\"$RUNNER_TEMP\"/commit.txt\n git commit --signoff -F \"$RUNNER_TEMP\"/commit.txt\n git push origin bot/sync-proxy/\"$VERSION\"\n - env:\n GH_REPO: ${{ github.repository }}\n GH_TOKEN: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN || github.token }}\n run: |\n gh pr create --title \"proxy: $VERSION\" --body \"Release notes: $URL\" --label bot/sync-proxy\n" }, { "path": ".gitignore", "content": "**/disco\ntarget\ntmp.discovery\n**/.idea\n**/cmake-*\n**/CMakeLists.txt\n*.iml\n**/node_modules\nweb/web\nweb/app/dist\nweb/app/js/locales/_build\nweb/app/js/locales/**/*.js\nweb/app/yarn-error.log\nvendor\n**/*.swp\n**/charts/**/charts\npackage-lock.json\n.vscode\n**/coverage*\n" }, { "path": ".golangci.yml", "content": "# This file specifies which linters golangci-lint should run.\n#\n# For descriptions of all available linters, run:\n# ./.golangci-lint-1.17.1 linters\n# or browse to:\n# https://github.com/golangci/golangci-lint#supported-linters\n\nrun:\n deadline: 5m\n exclude-dirs:\n - controller/gen\n\nlinters:\n enable:\n - bodyclose\n #TODO - copyloopvar\n - errcheck\n - errorlint\n - gocritic\n - gosec\n - gosimple\n - govet\n - ineffassign\n - misspell\n - nakedret\n - revive\n - staticcheck\n - stylecheck\n - typecheck\n - unconvert\n - unparam\n - unused\n # TODO: enable more linters!\n # - depguard\n # - dupl\n # - gochecknoglobals\n # - gochecknoinits\n # - gocyclo\n # - interfacer\n # - lll\n # - maligned\n # - prealloc\n\n disable: []\n\nlinters-settings:\n revive:\n rules:\n - name: package-comments\n disabled: true\n stylecheck:\n checks: [\"ST1019\"]\n errcheck:\n exclude-functions:\n - fmt.Fprint\n - fmt.Fprintf\n - fmt.Fprintln\n gosec:\n excludes:\n - G115 # Potential integer overflow when converting between integer types\n\nissues:\n exclude-use-default: false\n exclude-rules:\n # Ignore errors when performing the following file operations. If these are\n # not handled separately already, they tend to be insignificant.\n - linters:\n - errcheck\n text: Error return value of `.*\\.(Copy|Flush|Write|WriteTo)` is not checked\n\n # Ignore error values when closing file or HTTP response bodies. These\n # generally happen as cleanup and are part of defer statements.\n - linters:\n - errcheck\n text: Error return value of `.*\\.Close` is not checked\n\n # Ignore error values when closing file or HTTP response bodies. These\n # generally happen as cleanup and are part of defer statements.\n - linters:\n - gosec\n text: Deferring unsafe method \"Close\" on type\n\n # Ignore error checks for CLI output.\n - linters:\n - errcheck\n text: Error return value of `(plugin|spin|termbox)\\.(Clear|Color|Flush|Run)` is not checked\n\n # The errcheck linter catches these instances and we exclude them with the\n # rule above; therefore we'll ignore redundant warnings through gosec.\n - linters:\n - gosec\n text: \"G104: Errors unhandled\"\n\n # This gives false negatives if a variable name is too close to the pattern\n # used to determine if a variable is a credential.\n - linters:\n - gosec\n text: \"G101: Potential hardcoded credentials\"\n\n # Temporarily disable this check until the next golang-ci upgrade (greater\n # than v1.50.1) which upgrades gosec from v2.13.1 to v2.14.0. The fix is in\n # this commit, that refers to G404 but it seems it also affects G402:\n # https://github.com/securego/gosec/commit/dfde579243e1bfe0856ddafc5fc6aebb29c0edf6\n - linters:\n - gosec\n text: \"G402: TLS MinVersion too low\"\n\n # Flag operations are fallible if the flag does not exist. We assume these\n # exist as they are generally flags we are deprecating or use only for\n # development.\n - linters:\n - errcheck\n text: Error return value of `(.*)\\.(MarkDeprecated|MarkHidden|Set)` is not checked\n\n # Flag completion is not critical to the CLI and errors are ignored if\n # registration fails.\n - linters:\n - errcheck\n text: Error return value of `.*\\.RegisterFlagCompletionFunc` is not checked\n\n # Errors that occur when gracefully shutting down control plane components\n # are insignificant.\n - linters:\n - errcheck\n text: Error return value of `(adminServer|apiServer|server)\\.Shutdown` is not checked\n\n # Append should be able to assign to a different var/slice.\n - linters:\n - gocritic\n text: \"appendAssign: append result not assigned to the same slice\"\n\n # This does not always result in more readable code.\n - linters:\n - gocritic\n text: \"singleCaseSwitch: should rewrite switch statement to if statement\"\n\n # This does not always result in more readable code.\n - linters:\n - gocritic\n text: \"ifElseChain: rewrite if-else to switch statement\"\n\n # Test/fuzzing do not need to be tested for security issues.\n - linters:\n - gosec\n path: .*(test|fuzzer).*\\.go\n\n # In tests/fuzzing we are usually mocking components or have a good idea\n # about the errors that we expect. For this reason, we ignore unchecked\n # errors in all test files.\n - path: .*(test|fuzzer).*\\.go\n text: Error return value of `.*` is not checked\n\n # In tests we'll ignore unchecked filename operations because the values\n # are not dynamic.\n - path: (.*test.*\\.go|fake)\n text: \"G304: Potential file inclusion via variable\"\n\n # This ignores the errors returned from AddToScheme operations.\n - path: pkg/k8s/fake.go\n text: Error return value is not checked\n\n # Ignore NewSimpleClientset, Endpoints, EndpointSubset, and NewGone\n # deprecation warnings for now.\n - linters:\n - staticcheck\n text: \"corev1.Endpoints is deprecated: This API is deprecated in v1.33+\"\n - linters:\n - staticcheck\n text: \"corev1.EndpointSubset is deprecated: This API is deprecated in v1.33+\"\n - linters:\n - staticcheck\n text: \"fake.NewSimpleClientset is deprecated\"\n - linters:\n - staticcheck\n text: \"k8sError.NewGone is deprecated\"\n" }, { "path": ".helmdocsignore", "content": "# Add potential chart ignores here\n" }, { "path": ".markdownlint.yaml", "content": "default: true\nline_length: \n code_blocks: false\n tables: false\nheadings:\n siblings_only: true\n" }, { "path": ".proxy-version", "content": "v2.344.0\n" }, { "path": "ADOPTERS.md", "content": "# Linkerd 2.x adopters\n\n- [Ada](http://www.ada.cx)\n- [Adidas](https://www.adidas-group.com)\n- [Advance Latam](http://www.advlatam.com)\n- [Allotrac](https://allotrac.com.au)\n- [AlphaSights](https://www.alphasights.com)\n- [Altinn](https://www.altinn.no/en/)\n- [ANNA Money](https://anna.money)\n- [Apester](https://apester.com)\n- [AppddictionStudio](https://appddicitonstudio.com)\n- [Applause](https://www.applause.com)\n- [AT&T]()\n- [Attest](https://www.askattest.com)\n- [Bede Gaming](https://bedegaming.com)\n- [Bink](https://bink.com)\n- [Bitfactory](https://www.bitfactory.nl/)\n- [Boomin](https://www.boomin.com)\n- [Bosch Thermotecnology](https://www.bosch-thermotechnology.com)\n- [Buoyant](https://buoyant.io)\n- [Cabify](https://cabify.com)\n- [Candide](https://candidegardening.com)\n- [Celonis](https://celonis.com)\n- [CloverHealth](https://www.cloverhealth.com/)\n- [Cohere](https://cohere.ai/)\n- [Commonbond](https://www.commonbond.co/)\n- [Crayon](https://crayon.com)\n- [Docker](https://docker.com)\n- [Doji](https://www.doji.cn/)\n- [Dukaan](https://mydukaan.io/)\n- [Expedia](https://www.expedia.com)\n- [Facelift](https://www.facelift-bbt.com/en)\n- [Favrit](https://www.favrit.com)\n- [Figure](https://www.figure.com)\n- [finleap connect](https://connect.finleap.com/)\n- [Giant Swarm](https://www.giantswarm.io)\n- [Gotin](https://www.gotin.online)\n- [HomeChoice](https://www.homechoice.co.za/)\n- [HP Inc](https://www8.hp.com/us/en/home.html)\n- [In Loco](https://inloco.com.br/en/)\n- [Info Support](https://infosupport.com/)\n- [Ingrid](https://ingrid.com/)\n- [Inscripta](https://inscripta.io)\n- [Jimdo](https://www.jimdo.com/)\n- [Just Football](https://justfootball.io)\n- [K3 Business Technologies](https://www.k3btg.com)\n- [Kairos](https://kairos.com)\n- [Kurio](https://kurio.id)\n- [LeadIQ](https://leadiq.com)\n- [LeanNet](https://leannet.eu/)\n- [Lendico](https://www.lendico.de/)\n- [Livspace](https://www.livspace.com/)\n- [Lumoa](https://www.lumoa.me/)\n- [M1 Finance](https://www.m1finance.com/)\n- [manager.cl](https://www.manager.cl/)\n- [MattePaint](https://www.mattepaint.com/)\n- [Mentum](https://mentumqr.com/)\n- [MercedesBenz.io](https://www.mercedes-benz.io/)\n- [Microsoft](https://www.microsoft.com/)\n- [Mulligan Funding](https://www.mulliganfunding.com/)\n- [Mythical Games](https://mythicalgames.com/)\n- [National Information Solutions Cooperative (NISC)](https://nisc.coop/)\n- [NAV](https://nav.no/)\n- [Nordstrom](https://nordstrom.com/)\n- [Novolabs](https://novolabs.com)\n- [OLX Brasil](https://www.olx.com.br)\n- [p3r](https://www.p3r.one/)\n- [Pangea](https://pangea.cloud)\n- [Parklab](https://parklab.app/)\n- [Paybase](https://paybase.io/)\n- [Pento](https://pento.io/)\n- [Personio](https://www.personio.com/)\n- [PITS Global Data Recovery Services](https://www.pitsdatarecovery.net/)\n- [PlayStudios Asia](https://www.playstudios.asia)\n- [PlexTrac](https://plextrac.com)\n- [PriceKinetics (GVC Australia)](https://www.pricekinetics.com.au/)\n- [Projector](https://projector.com)\n- [Purdue University Global](https://www.purdueglobal.edu/)\n- [reDock](https://www.redock.com/)\n- [ReliMail](https://relimail.com/)\n- [S&P Global Platts](https://www.spglobal.com/platts/en)\n- [Salt Security](https://salt.security/)\n- [Samarkand Global](https://www.samarkand.global/)\n- [SCA](https://sca.com.au)\n- [Search365](https://search365.ai/)\n- [Skit](https://skit.ai/)\n- [Sophotech](https://sopho.tech)\n- [Split](https://www.split.io/)\n- [StackPulse](https://stackpulse.com)\n- [Studyo](https://studyo.co)\n- [Sue](https://sue.nl)\n- [The Zebra](https://www.thezebra.com)\n- [Timescale](https://www.timescale.com)\n- [Tradeshift](https://tradeshift.com/)\n- [Transit](https://transit.app)\n- [True Tickets](https://true-tickets.com)\n- [Web Summit](https://websummit.com)\n- [Winuall](https://www.winuall.com)\n- [Wiz Security](https://www.wiz.io/)\n- [xCloud](https://www.xbox.com/en-US/xbox-game-streaming/project-xcloud)\n- [YouMail](https://www.youmail.com)\n- [ZeroFlucs](https://zeroflucs.io/)\n- [Zimpler](https://www.zimpler.com/)\n\nIf you're using Linkerd 2.x and aren't on this list, please [submit a pull\nrequest](https://github.com/linkerd/linkerd2/edit/main/ADOPTERS.md)!\n" }, { "path": "AMBASSADORS.md", "content": "# Linkerd Ambassadors\n\nThe Linkerd Ambassador badge is a distinction awarded to those community\nmembers who are experts in their field and who demonstrate expertise, passion,\nengagement, and a commitment to sharing their Linkerd experience with the\nbroader community. Linkerd Ambassadors are hand-picked by the Linkerd\nmaintainers.\n\nInterested in becoming a Linkerd Ambassador? Learn more at\n.\n\n## Current Ambassadors\n\n- 🇺🇸 Chris Campbell, @campbel\n- 🇩🇪 Christian Hüning, @christianhuening\n- 🇭🇺 Dominik Táskai, @dtaskai\n- 🇮🇱 Eli Goldberg, @Eli-Goldberg\n- 🇬🇧 Mahendran Selvakumar, @skmahe1077\n- 🇬🇹 Sergio Méndez, @sergioarmgpl\n- 🇳🇱 William Rizzo, @wrkode\n\n## Ambassadors Emeriti\n\n- 🇺🇸 Charles Pretzer, @cpretzer\n- 🇳🇴 Fredrik Klingenberg, @fredrkl\n- 🇩🇰 Kasper Nissen, @kaspernissen\n- 🇵🇹 María Teresa Rojas, @mtrojas\n- 🇦🇺 Steve Gray\n" }, { "path": "BUILD.md", "content": "\n# Linkerd2 Development Guide\n\n:balloon: Welcome to the Linkerd2 development guide! :wave:\n\nThis document will help you build and run Linkerd2 from source. More information\nabout testing from source can be found in the [TEST.md](TEST.md) guide.\n\n## Table of contents\n\n- [Repo Layout](#repo-layout)\n - [Control Plane (Go/React)](#control-plane-goreact)\n - [Data Plane (Rust)](#data-plane-rust)\n- [Components](#components)\n- [Development configurations](#development-configurations)\n - [Comprehensive](#comprehensive)\n - [Deploying Control Plane components with Tracing](#deploying-control-plane-components-with-tracing)\n - [Publishing Images](#publishing-images)\n - [Go](#go)\n - [A note about Go run](#a-note-about-go-run)\n - [Lint](#lint)\n - [Formatting](#formatting)\n - [Building the CLI for development](#building-the-cli-for-development)\n - [Running the control plane for development](#running-the-control-plane-for-development)\n - [Running the Tap APIService for development](#debugging-the-tap-apiservice-for-development)\n - [Generating CLI docs](#generating-cli-docs)\n - [Web](#web)\n - [First time setup](#first-time-setup)\n - [Run web standalone](#run-web-standalone)\n - [Webpack dev server](#webpack-dev-server)\n - [JavaScript dependencies](#javascript-dependencies)\n - [Translations](#translations)\n - [Rust](#rust)\n - [Docker](#docker)\n- [Dependencies](#dependencies)\n - [Updating protobuf dependencies](#updating-protobuf-dependencies)\n - [Updating ServiceProfile generated\n code](#updating-serviceprofile-generated-code)\n- [Linkerd Helm Chart](#linkerd-helm-chart)\n - [Extensions Helm charts](#extensions-helm-charts)\n - [Making changes to the chart templates](#making-changes-to-the-chart-templates)\n - [Annotating values.yaml](#annotating-valuesyaml)\n - [Markdown templates](#markdown-templates)\n\n## Repo layout\n\nLinkerd2 is primarily written in Rust, Go, and React. At its core is a\nhigh-performance data plane written in Rust. The control plane components and\nits extensions are written in Go. The dashboard UI is a React application.\n\n### Control Plane (Go/React)\n\n- [`cli`](cli): Command-line `linkerd` utility, view and drive the control\n plane.\n- [`controller`](controller)\n - [`destination`](controller/api/destination): Accepts requests from `proxy`\n instances and serves service discovery information.\n - [`proxy-injector`](controller/proxy-injector): Mutating webhook triggered by\n pods creation, that injects the proxy container as a sidecar.\n - [`identity`](controller/identity): Provides a CA to distribute certificates\n to proxies for them to establish mTLS connections between them.\n- [`viz extension`](viz)\n - [`metrics-api`](viz/metrics-api): Accepts requests from API clients such as\n cli and web, serving metrics from the proxies in the cluster through\n Prometheus queries.\n - [`tap`](viz/tap/api): Provides a live pipeline of requests.\n - [`tap-injector`](viz/tap/injector): Mutating webhook triggered by pods\n creation, that injects metadata into the proxy container in order to enable\n tap.\n - [`web`](web): Provides a UI dashboard to view and drive the control plane.\n- [`multicluster extension`](multicluster)\n - [`linkerd-gateway`]: Accepts requests from other clusters and forwards them\n to the appropriate destination in the local cluster.\n - [`linkerd-service-mirror-xxx`](multicluster/service-mirror): Controller\n observing the labeling of exported services in the target cluster, each one\n for which it will create a mirrored service in the local cluster.\n\n### Data Plane (Rust)\n\n- [`linkerd2-proxy`](https://github.com/linkerd/linkerd2-proxy): Rust source\n code for the proxy lives in the linkerd2-proxy repo.\n- [`linkerd2-proxy-api`](https://github.com/linkerd/linkerd2-proxy-api):\n Protobuf definitions for the data plane APIs live in the linkerd2-proxy-api\n repo.\n\n## Components\n\n![Linkerd2 Components](https://g.gravizo.com/source/svg/linkerd2_components?https%3A%2F%2Fraw.githubusercontent.com%2Flinkerd%2Flinkerd2%2Fmain%2FBUILD.md)\n\n\n
\n\nlinkerd2_components\n digraph G {\n rankdir=LR;\n\n node [style=filled, shape=rect];\n\n \"cli\" [color=lightblue];\n \"destination\" [color=lightblue];\n \"identity\" [color=lightblue];\n \"metrics-api\" [color=lightblue];\n \"tap\" [color=lightblue];\n \"web\" [color=lightblue];\n\n \"proxy\" [color=orange];\n\n \"cli\" -> \"metrics-api\";\n \"cli\" -> \"tap\";\n\n \"web\" -> \"metrics-api\";\n \"web\" -> \"tap\";\n \"web\" -> \"grafana\";\n\n \"metrics-api\" -> \"prometheus\";\n\n \"tap\" -> \"proxy\";\n\n \"proxy\" -> \"destination\";\n \"proxy\" -> \"identity\";\n\n \"identity\" -> \"kubernetes api\"\n\n \"destination\" -> \"kubernetes api\";\n\n \"grafana\" -> \"prometheus\";\n \"prometheus\" -> \"proxy\";\n }\nlinkerd2_components\n
\n\n\n## Development configurations\n\nDepending on use case, there are several configurations with which to develop\nand run Linkerd2:\n\n- [Comprehensive](#comprehensive): Integrated configuration using k3d, most\n closely matches release.\n- [Web](#web): Development of the Linkerd2 Dashboard.\n\n### Comprehensive\n\nThis configuration builds all Linkerd2 components in Docker images, and deploys\nthem onto a k3d cluster. This setup most closely parallels our recommended\nproduction installation, documented in [Getting\nStarted](https://linkerd.io/2/getting-started/).\n\nNote that you need to have first installed docker buildx, as explained\n[buildx docs](https://github.com/docker/buildx).\n\n```bash\n# create the k3d cluster\nbin/k3d cluster create\n\n# build all docker images\nbin/docker-build\n\n# load all the images into k3d\nbin/image-load --k3d\n\n# install linkerd\nbin/linkerd install --crds | kubectl apply -f -\nbin/linkerd install | kubectl apply -f -\n\n# wait for the core components to be ready, then install linkerd-viz\nbin/linkerd viz install | kubectl apply -f -\n\n# in order to use `linkerd viz tap` against control plane components, you need\n# to restart them (so that the tap-injector enables tap on their proxies)\nkubectl -n linkerd rollout restart deploy\n\n# verify cli and server versions\nbin/linkerd version\n\n# validate installation\nbin/linkerd check --expected-version $(bin/root-tag)\n\n# view linkerd dashboard\nbin/linkerd viz dashboard\n\n# install the demo app\ncurl https://run.linkerd.io/emojivoto.yml | bin/linkerd inject - | kubectl apply -f -\n\n# port-forward the demo app's frontend to see it at http://localhost:8080\nkubectl -n emojivoto port-forward svc/web-svc 8080:80\n\n# view details per deployment\nbin/linkerd viz -n emojivoto stat deployments\n\n# view a live pipeline of requests\nbin/linkerd viz -n emojivoto tap deploy voting\n```\n\n#### Deploying Control Plane components with Tracing\n\nControl Plane components have the `trace-collector` flag used to enable\n[Distributed Tracing](https://opentracing.io/docs/overview/what-is-tracing/)\nfor development purposes. It can be enabled globally i.e Control plane\ncomponents and their proxies by using the\n`--set controller.tracing.enable=true` installation flag.\n\nThis will configure all the components to send the traces to the collector you\nhave configured for your cluster.\n\n```bash\n\n# install Linkerd with tracing\nlinkerd install \\\n --set controller.tracing.enable=true \\\n --set controller.tracing.collector.endpoint= \\\n | kubectl apply -f -\n```\n\n### Publishing images\n\nThe example above builds and loads the docker images into k3d. For testing your\nbuilt images outside your local environment, you need to publish your images so\nthey become accessible in those external environments.\n\nTo signal `bin/docker-build` or any of the more specific scripts\n`bin/docker-build-*` what registry to use, just set the environment variable\n`DOCKER_REGISTRY` (which defaults to the official registry `cr.l5d.io/linkerd`).\nAfter having pushed those images through the usual means (`docker push`) you'll\nhave to pass the `--registry` flag to `linkerd install` with a value matching\nyour registry. Extensions don't have that flag and instead you need to use the\nequivalent Helm value; e.g. for Viz `linkerd viz install --set\ndefaultRegistry=...`.\n\n### Go\n\n#### A note about Go run\n\nOur instructions use a [`bin/go-run`](bin/go-run) script in lieu `go run`. This\nis a convenience script that leverages caching via `go build` to make your\nbuild/run/debug loop faster.\n\nIn general, replace commands like this:\n\n```bash\ngo run cli/main.go check\n```\n\nwith this:\n\n```bash\nbin/go-run cli check\n```\n\nThat is equivalent to running `linkerd check` using the code on your branch.\n\n#### Lint\n\nTo analyze and lint the Go code using golangci-lint, run:\n\n```bash\ngolangci-lint run\n```\n\n#### Formatting\n\nAll Go source code is formatted with `goimports`. The version of `goimports`\nused by this project is specified in `go.mod`. To ensure you have the same\nversion installed, run `go install -mod=readonly\ngolang.org/x/tools/cmd/goimports`. It's recommended that you set your IDE or\nother development tools to use `goimports`. Formatting is checked during CI by\nthe `bin/fmt` script.\n\n#### Building the CLI for development\n\nThe script for building the CLI binaries using docker is\n`bin/docker-build-cli-bin`. This will also be called indirectly when calling\n`bin/docker-build`. By default it creates binaries for your current host's\nOS/arch.\n\nTo cross-build targeting a different OS or architecture, set the environment\nvariable `DOCKER_TARGET` according to any of the final stages available in\n[cli/Dockerfile](cli/Dockerfile).\n\nFor local development and a faster edit-build-test cycle you can build directly\nwithout going through a docker container by calling `bin/build-cli-bin`.\n\nIf you set the environment variable `LINKERD_LOCAL_BUILD_CLI=1` then\n`bin/docker-build` will use this last method for the step that builds the CLI.\n\n#### Running the control plane for development\n\nLinkerd2's control plane is composed of several Go microservices. You can run\nthese components in a Kubernetes cluster, or even locally.\n\nTo run an individual component locally, you can use the `go-run` command, and\npass in valid Kubernetes credentials via the `-kubeconfig` flag. For instance,\nto run the destination service locally, run:\n\n```bash\nbin/go-run controller/cmd destination -kubeconfig ~/.kube/config -log-level debug\n```\n\nYou can send test requests to the destination service using the\n`destination-client` in the `controller/script` directory. For instance:\n\n```bash\nbin/go-run controller/script/destination-client -path hello.default.svc.cluster.local:80\n```\n\n##### Debugging the Tap APIService for development\n\nThe Tap APIService is a Kubernetes extension API server, so it can be\nchallenging to run outside the cluster. The most straightforward workflow is to\nsimply test changes by building and loading the container image as explained in\nthe [comprehensive configuration](#comprehensive) section above (in order to\njust build this component use `bin/docker-build-tap`).\n\n#### Generating CLI docs\n\nThe [documentation](https://linkerd.io/2/cli/) for the CLI tool is partially\ngenerated from YAML. This can be generated by running the `linkerd doc` command.\n\n### Web\n\nThis is a React app fronting a Go process. It uses webpack to bundle assets, and\npostcss to transform css.\n\nThese commands assume working [Go](https://golang.org) and\n[Yarn](https://yarnpkg.com) environments.\n\n#### First time setup\n\n1. Install [Yarn](https://yarnpkg.com) and use it to install JS dependencies:\n\n ```bash\n brew install yarn\n bin/web setup\n ```\n\n2. Install Linkerd on a Kubernetes cluster.\n\n#### Run web standalone\n\n```bash\nbin/web run\n```\n\nThe web server will be running on `localhost:7777`.\n\n#### Webpack dev server\n\nTo develop with a webpack dev server:\n\n1. Start the development server.\n\n ```bash\n bin/web dev\n ```\n\n Note: this will start up:\n\n - `web` on :7777. This is the golang process that serves the dashboard.\n - `webpack-dev-server` on :8080 to manage rebuilding/reloading of the\n javascript.\n - `metrics-api` is port-forwarded from the Kubernetes cluster via `kubectl`\n on :8085\n\n2. Go to [http://localhost:7777](http://localhost:7777) to see everything\n running.\n\n#### JavaScript dependencies\n\nTo add a JS dependency:\n\n```bash\ncd web/app\nyarn add [dep]\n```\n\n#### Translations\n\nTo add a locale:\n\n```bash\ncd web/app\nyarn lingui add-locale [locales...] # will create a messages.json file for new locale(s)\n```\n\nTo extract message keys from existing components:\n\n```bash\ncd web/app\nyarn lingui extract\n...\nyarn lingui compile # done automatically in bin/web run\n```\n\nFinally, make sure the new locale is also referred in the following places:\n\n- Under the `lingui` section in `package.json`\n- In the `make-plural/plurals` import in `index.js`\n- In the `langOptions` object in `index.js`\n\n### Rust\n\nAll Rust development happens in the\n[`linkerd2-proxy`](https://github.com/linkerd/linkerd2-proxy) repo.\n\n#### Docker\n\nThe `bin/docker-build-proxy` script builds the proxy by pulling a pre-published\nproxy binary:\n\n```bash\nbin/docker-build-proxy\n```\n\n#### Locally built proxy\n\nIf you want to deploy a locally built proxy, you can build it in the\n[`linkerd2-proxy`](https://github.com/linkerd/linkerd2-proxy) repo by running:\n\n```bash\nDOCKER_TAG=cr.l5d.io/linkerd/proxy:dev make docker\n```\n\nThen, in this repo, run:\n\n```bash\n./bin/k3d image import cr.l5d.io/linkerd/proxy:dev\n```\n\nNow, to make a pod use your image, add the following annotations to it:\n\n```yaml\nconfig.linkerd.io/proxy-version: dev\n```\n\n## Dependencies\n\n### Updating protobuf dependencies\n\n If you make Protobuf changes, run:\n\n ```bash\nbin/protoc-go.sh\n```\n\n### Updating ServiceProfile generated code\n\nThe [ServiceProfile client code](./controller/gen/client) is generated by\n[`bin/update-codegen.sh`](bin/update-codegen.sh), which depends on [K8s\ncode-generator](https://github.com/kubernetes/code-generator), which does not\nyet support Go Modules. To re-generate this code, check out this repo into your\n`GOPATH`:\n\n```bash\ngo get -u github.com/linkerd/linkerd2\ncd $GOPATH/src/github.com/linkerd/linkerd2\nbin/update-codegen.sh\n```\n\n## Linkerd Helm chart\n\nThe Linkerd control plane chart is located in the\n[`charts/linkerd2`](charts/linkerd2) folder. The [`charts/patch`](charts/patch)\nchart consists of the Linkerd proxy specification, which is used by the proxy\ninjector to inject the proxy container. Both charts depend on the partials\nsubchart which can be found in the [`charts/partials`](charts/partials) folder.\n\nNote that the `charts/linkerd2/values.yaml` file contains a placeholder\n`linkerdVersionValue` that you need to replace with an appropriate string (like\n`edge-20.2.2`) before proceeding.\n\nDuring development, please use the [`bin/helm`](bin/helm) wrapper script to\ninvoke the Helm commands. For example,\n\n```bash\nbin/helm install linkerd2 charts/linkerd2\n```\n\nThis ensures that you use the same Helm version as that of the Linkerd CI\nsystem.\n\nFor general instructions on how to install the charts check out the\n[docs](https://linkerd.io/2/tasks/install-helm/). You also need to supply or\ngenerate your own certificates to use the chart, as explained in the\n[Generate Certificates task](https://linkerd.io/2/tasks/generate-certificates/).\n\n### Extensions Helm charts\n\nExtensions provide each their own chart:\n\n- Viz: [`viz/charts/linkerd-viz`](viz/charts/linkerd-viz)\n- Multicluster:\n [`multicluster/charts/linkerd-multicluster`](multicluster/charts/linkerd-multicluster)\n\n### Making changes to the chart templates\n\nWhenever you make changes to the files under\n[`charts/linkerd2/templates`](charts/linkerd2/templates) or its dependency\n[`charts/partials`](charts/partials), make sure to run\n[`bin/helm-build`](bin/helm-build) which will refresh the dependencies and lint\nthe templates.\n\n### Annotating values.yaml\n\nTo allow helm-docs to properly document the values in `values.yaml` a descriptive\ncomment is required. This can be done in two ways.\nEither comment the value directly above with\n`# -- This is a really nice value` where the double dashes automatically\nannotates the value. Another explicit usage is to type out the value name.\n`# global.MyNiceValue -- I really like this value`\n\n### Markdown templates\n\nIn order to accommodate for extra data that might not have a proper place in the\n´values.yaml´ file the corresponding ´README.md.gotmpl´ can be modified for each\nchart. This template allows the standard markdown syntax as well as the go\ntemplating functions. Checkout\n[helm-docs](https://github.com/norwoodj/helm-docs) for more info.\n" }, { "path": "CHANGES.md", "content": "\n# Changes\n\nPlease visit Linkerd's [Release page][gh-releases] for for the latest release\nnotes moving forward!\n\n[gh-releases]: https://github.com/linkerd/linkerd2/releases\n\n## edge-24.2.5\n\n* Migrated edge release change notes to use GitHub's automated release notes\n feature.\n\n## edge-24.2.4\n\n* Updated the ExternalWorkload CRD to v1beta1, renaming the meshTls field to\n meshTLS ([#12098])\n* Updated the proxy to address some logging and metrics inconsistencies\n ([#12099])\n\n[#12098]: https://github.com/linkerd/linkerd2/pull/12098\n[#12099]: https://github.com/linkerd/linkerd2/pull/12099\n\n## edge-24.2.3\n\n* Allowed the `MutatingWebhookConfig` timeout value to be configured ([#12028])\n (thanks @mikebell90)\n* Added a counter for items dropped from destination controller workqueue\n ([#12079])\n* Fixed a spurious `linkerd check` error when using container images with\n digests ([#12059])\n* Fixed an issue where inbound policy could be incorrect after certain policy\n resources are deleted ([#12088])\n\n[#12028]: https://github.com/linkerd/linkerd2/pull/12028\n[#12079]: https://github.com/linkerd/linkerd2/pull/12079\n[#12059]: https://github.com/linkerd/linkerd2/pull/12059\n[#12088]: https://github.com/linkerd/linkerd2/pull/12088\n\n## edge-24.2.2\n\nThis release addresses some issues in the destination service that could cause\nit to behave unexpectedly when processing updates.\n\n* Fixed a race condition in the destination service that could cause panics\n under very specific conditions ([#12022]; fixes [#12010])\n* Changed how updates to a `Server` selector are handled in the destination\n service. When a `Server` that marks a port as opaque no longer selects a\n resource, the resource's opaqueness will reverted to default settings\n ([#12031]; fixes [#11995])\n* Introduced Helm configuration values for liveness and readiness probe\n timeouts and delays ([#11458]; fixes [#11453]) (thanks @jan-kantert!)\n\n[#12010]: https://github.com/linkerd/linkerd2/issues/12010\n[#12022]: https://github.com/linkerd/linkerd2/pull/12022\n[#11995]: https://github.com/linkerd/linkerd2/issues/11995\n[#12031]: https://github.com/linkerd/linkerd2/pull/12031\n[#11453]: https://github.com/linkerd/linkerd2/issues/11453\n[#11458]: https://github.com/linkerd/linkerd2/pull/11458\n\n## edge-24.2.1\n\nThis edge release contains performance and stability improvements to the\nDestination controller, and continues stabilizing support for ExternalWorkloads.\n\n* Reduced the load on the Destination controller by only processing Server\n updates on workloads affected by the Server ([#12017])\n* Changed how the Destination controller reacts to target clusters (in\n multicluster pod-to-pod mode) whose Server CRD is outdated: skip them and log\n an error instead of panicking ([#12008])\n* Improved the leader election of the ExternalWorkloads Endpoints controller to\n avoid missing events ([#12021])\n* Improved naming of EndpointSlices generated by ExternWorkloads ([#12016])\n* Restriced the number of IPs an ExternalWorkload can have ([#12026])\n\n[#12017]: https://github.com/linkerd/linkerd2/pull/12017\n[#12008]: https://github.com/linkerd/linkerd2/pull/12008\n[#12021]: https://github.com/linkerd/linkerd2/pull/12021\n[#12016]: https://github.com/linkerd/linkerd2/pull/12016\n[#12026]: https://github.com/linkerd/linkerd2/pull/12026\n\n## edge-24.1.3\n\nThis release continues support for ExternalWorkload resources throughout the\ncontrol and data planes.\n\n* Updated the proxy to use SPIRE to instrument identity outside of Kubernetes.\n* Updated the Destination controller to return `INVALID_ARGUMENT` status codes\n properly when a `ServiceProfile` is requested for a service that does not\n exist. (#11980)\n* An ExternalWorkload EndpointSlice controller has been added to the\n Destination controller.\n* Added a `createNamespaceMetadataJob` Helm value to control whether the\n namespace-metadata job is run during install (#11782)\n\n## edge-24.1.2\n\nThis edge release incrementally improves support for ExternalWorkload resources\nthroughout the control plane.\n\n## edge-24.1.1\n\nThis edge release introduces a number of different fixes and improvements. More\nnotably, it introduces a new `cni-repair-controller` binary to the CNI plugin\nimage. The controller will automatically restart pods that have not received\ntheir iptables configuration.\n\n* Removed shortnames from Tap API resources to avoid colliding with existing\n Kubernetes resources ([#11816]; fixes [#11784])\n* Introduced a new ExternalWorkload CRD to support upcoming mesh expansion\n feature ([#11805])\n* Changed `MeshTLSAuthentication` resource validation to allow SPIFFE URI\n identities ([#11882])\n* Introduced a new `cni-repair-controller` to the `linkerd-cni` DaemonSet to\n automatically restart misconfigured pods that are missing iptables rules\n ([#11699]; fixes [#11073])\n* Fixed a `\"duplicate metrics\"` warning in the multicluster service-mirror\n component ([#11875]; fixes [#11839])\n* Added metric labels and weights to `linkerd diagnostics endpoints` json\n output ([#11889])\n* Changed how `Server` updates are handled in the destination service. The\n change will ensure that during a cluster resync, consumers won't be\n overloaded by redundant updates ([#11907])\n* Changed `linkerd install` error output to add a newline when a Kubernetes\n client cannot be successfully initialised ([#11917])\n\n[#11816]: https://github.com/linkerd/linkerd2/pull/11816\n[#11784]: https://github.com/linkerd/linkerd2/issues/11784\n[#11805]: https://github.com/linkerd/linkerd2/pull/11805\n[#11882]: https://github.com/linkerd/linkerd2/pull/11882\n[#11699]: https://github.com/linkerd/linkerd2/pull/11699\n[#11073]: https://github.com/linkerd/linkerd2/issues/11073\n[#11875]: https://github.com/linkerd/linkerd2/pull/11875\n[#11839]: https://github.com/linkerd/linkerd2/issues/11839\n[#11889]: https://github.com/linkerd/linkerd2/pull/11889\n[#11907]: https://github.com/linkerd/linkerd2/pull/11907\n[#11917]: https://github.com/linkerd/linkerd2/pull/11917\n\n## edge-23.12.4\n\nThis edge release includes fixes and improvements to the destination\ncontroller's endpoint resolution API.\n\n* Fixed an issue in the control plane where discovery for pod IP addresses could\n hang indefinitely ([#11815])\n* Updated the proxy to enforce time limits on control plane response streams so\n that proxies more naturally distribute load over control plane replicas\n ([#11837])\n* Fixed the policy's controller service metadata responses so that proxy logs\n and metrics have informative values ([#11842])\n\n[#11842]: https://github.com/linkerd/linkerd2/pull/11842\n[#11837]: https://github.com/linkerd/linkerd2/pull/11837\n[#11815]: https://github.com/linkerd/linkerd2/pull/11815\n\n## edge-23.12.3\n\nThis edge release contains improvements to the logging and diagnostics of the\ndestination controller.\n\n* Added a control plane metric to count errors talking to the Kubernetes API\n ([#11774])\n* Fixed an issue causing spurious destination controller error messages for\n profile lookups on unmeshed pods with port in default opaque list ([#11550])\n\n[#11774]: https://github.com/linkerd/linkerd2/pull/11774\n[#11550]: https://github.com/linkerd/linkerd2/pull/11550\n\n## edge-23.12.2\n\nThis edge release includes a restructuring of the proxy's balancer along with\naccompanying new metrics. The new minimum supported Kubernetes version is 1.22.\n\n* Restructured the proxy's balancer ([#11750]): balancer changes may now occur\n independently of request processing. Fail-fast circuit breaking is enforced on\n the balancer's queue so that requests can't get stuck in a queue indefinitely.\n This new balancer is instrumented with new metrics: request (in-queue) latency\n histograms, failfast states, discovery updates counts, and balancer endpoint\n pool sizes.\n* Changed how the policy controller updates HTTPRoute status so that it doesn't\n affect statuses from other non-linkerd controllers ([#11705]; fixes [#11659])\n\n[#11750]: https://github.com/linkerd/linkerd2/pull/11750\n[#11705]: https://github.com/linkerd/linkerd2/pull/11705\n[#11659]: https://github.com/linkerd/linkerd2/pull/11659\n\n## edge-23.12.1\n\nThis edge release introduces new configuration values in the identity\ncontroller for client-go's `QPS` and `Burst` settings. Default values for these\nsettings have also been raised from `5` (QPS) and `10` (Burst) to `100` and\n`200` respectively.\n\n* Added `namespaceSelector` fields for the tap-injector and jaeger-injector\n webhooks. The webhooks are now configured to skip `kube-system` by default\n ([#11649]; fixes [#11647]) (thanks @mikutas!)\n* Added the ability to configure client-go's `QPS` and `Burst` settings in the\n identity controller ([#11644])\n* Improved client-go logging visibility throughout the control plane's\n components ([#11632])\n* Introduced `PodDisruptionBudgets` in the linkerd-viz Helm chart for tap and\n tap-injector ([#11628]; fixes [#11248]) (thanks @mcharriere!)\n\n[#11649]: https://github.com/linkerd/linkerd2/pull/11649\n[#11647]: https://github.com/linkerd/linkerd2/issues/11647\n[#11644]: https://github.com/linkerd/linkerd2/pull/11644\n[#11632]: https://github.com/linkerd/linkerd2/pull/11632\n[#11628]: https://github.com/linkerd/linkerd2/pull/11628\n[#11248]: https://github.com/linkerd/linkerd2/issues/11248\n\n## edge-23.11.4\n\nThis edge release introduces support for the native sidecar containers entering\nbeta support in Kubernetes 1.29. This improves the startup and shutdown ordering\nfor the proxy relative to other containers, fixing the long-standing\nshutdown issue with injected `Job`s. Furthermore, traffic from other\n`initContainer`s can now be proxied by Linkerd.\n\nIn addition, this edge release includes Helm chart improvements, and improvements\nto the multicluster extension.\n\n* Added a new `config.alpha.linkerd.io/proxy-enable-native-sidecar` annotation\n and `Proxy.NativeSidecar` Helm option that causes the proxy container to run\n as an init-container (thanks @teejaded!) ([#11465]; fixes [#11461])\n* Fixed broken affinity rules for the multicluster `service-mirror` when running\n in HA mode ([#11609]; fixes [#11603])\n* Added a new check to `linkerd check` that ensures all extension namespaces are\n configured properly ([#11629]; fixes [#11509])\n* Updated the Prometheus Docker image used by the `linkerd-viz` extension to\n v2.48.0, resolving a number of CVEs in older Prometheus versions ([#11633])\n* Added `nodeAffinity` to `deployment` templates in the `linkerd-viz` and\n `linkerd-jaeger` Helm charts (thanks @naing2victor!) ([#11464]; fixes\n [#10680])\n\n[#11465]: https://github.com/linkerd/linkerd2/pull/11465\n[#11461]: https://github.com/linkerd/linkerd2/issues/11461\n[#11609]: https://github.com/linkerd/linkerd2/pull/11609\n[#11603]: https://github.com/linkerd/linkerd2/issues/11603\n[#11629]: https://github.com/linkerd/linkerd2/pull/11629\n[#11509]: https://github.com/linkerd/linkerd2/issues/11509\n[#11633]: https://github.com/linkerd/linkerd2/pull/11633\n[#11464]: https://github.com/linkerd/linkerd2/pull/11464\n[#10680]: https://github.com/linkerd/linkerd2/issues/10680\n\n## edge-23.11.3\n\nThis edge release fixes a bug where Linkerd could cause EOF errors during bursts\nof TCP connections.\n\n* Fixed a bug where the `linkerd multicluster link` command's\n `--gateway-addresses` flag was not respected when a remote gateway exists\n ([#11564])\n* proxy: Increased DEFAULT_OUTBOUND_TCP_QUEUE_CAPACITY to prevent EOF errors\n during bursts of TCP connections\n\n[#11564]: https://github.com/linkerd/linkerd2/pull/11564\n\n## edge-23.11.2\n\nThis edge release contains observability improvements and bug fixes to the\nDestination controller, and a refinement to the multicluster gateway resolution\nlogic.\n\n* Fixed an issue where the Destination controller could stop processing service\n profile updates, if a proxy subscribed to those updates stops reading them;\n this is a followup to the issue [#11491] fixed in [edge-23.10.3] ([#11546])\n* In the Destination controller, added informer lag histogram metrics to track\n whenever the Kubernetes objects watched by the controller are falling behind\n the state in the kube-apiserver ([#11534])\n* In the multicluster service mirror, extended the target gateway resolution\n logic to take into account all the possible IPs a hostname might resolve to,\n rather than just the first one (thanks @MrFreezeex!) ([#11499])\n* Added probes to the debug container to appease environments requiring probes\n for all containers ([#11308])\n\n[edge-23.10.3]: https://github.com/linkerd/linkerd2/releases/tag/edge-23.10.3\n[#11546]: https://github.com/linkerd/linkerd2/pull/11546\n[#11534]: https://github.com/linkerd/linkerd2/pull/11534\n[#11499]: https://github.com/linkerd/linkerd2/pull/11499\n[#11308]: https://github.com/linkerd/linkerd2/pull/11308\n\n## edge-23.11.1\n\nThis edge release fixes two bugs in the Destination controller that could cause\noutbound connections to hang indefinitely.\n\n* helm: Introduce configurable values for protocol detection ([#11536])\n* destination: Fix GetProfiles error when address is opaque and unmeshed ([#11556])\n* destination: Return NotFound for unknown pod names ([#11540])\n* proxy: Log controller errors at WARN\n* proxy: Fix grpc_status metric labels for inbound traffic\n\n[#11536]: https://github.com/linkerd/linkerd2/pull/11536\n[#11556]: https://github.com/linkerd/linkerd2/pull/11556\n[#11540]: https://github.com/linkerd/linkerd2/pull/11540\n\n## edge-23.10.4\n\nThis edge release includes a fix for the `ServiceProfile` CRD resource schema.\nThe schema incorrectly required `not` response matches to be arrays, while the\nin-cluster validator parsed `not` response matches as objects. In addition, an\nissues has been fixed in `linkerd profile`. When used with the `--open-api`\nflag, it would not strip trailing slashes when generating a resource from\nswagger specifications.\n\n* Fixed an issue where trailing slashes wouldn't be stripped when generating\n `ServiceProfile` resources through `linkerd profile --open-api` ([#11519])\n* Fixed an issue in the `ServiceProfile` CRD schema. The schema incorrectly\n required that a `not` response match should be an array, which the service\n profile validator rejected since it expected an object. The schema has been\n updated to properly indicate that `not` values should be an object ([#11510];\n fixes [#11483])\n* Improved logging in the destination controller by adding the client pod's\n name to the logging context. This will improve visibility into the messages\n sent and received by the control plane from a specific proxy ([#11532])\n* Fixed an issue in the destination controller where the metadata API would not\n initialize a `Job` informer. The destination controller uses the metadata API\n to retrieve `Job` metadata, and relies mostly on informers. Without an\n initialized informer, an error message would be logged, and the controller\n relied on direct API calls ([#11541]; fixes [#11531])\n\n[#11541]: https://github.com/linkerd/linkerd2/pull/11541\n[#11532]: https://github.com/linkerd/linkerd2/pull/11532\n[#11531]: https://github.com/linkerd/linkerd2/issues/11531\n[#11519]: https://github.com/linkerd/linkerd2/pull/11519\n[#11510]: https://github.com/linkerd/linkerd2/pull/11510\n[#11483]: https://github.com/linkerd/linkerd2/issues/11483\n\n## edge-23.10.3\n\nThis edge release fixes issues in the proxy and Destination controller which can\nresult in Linkerd proxies sending traffic to stale endpoints. In addition, it\ncontains other bugfixes and updates dependencies to include patches for the\nsecurity advisories [CVE-2023-44487]/GHSA-qppj-fm5r-hxr3 and GHSA-c827-hfw6-qwvm.\n\n* Fixed an issue where the Destination controller could stop processing\n changes in the endpoints of a destination, if a proxy subscribed to that\n destination stops reading service discovery updates. This issue results in\n proxies attempting to send traffic for that destination to stale endpoints\n ([#11491], fixes [#11480], [#11279], and [#10590])\n* Fixed a regression introduced in stable-2.13.0 where proxies would not\n terminate unused service discovery watches, exerting backpressure on the\n Destination controller which could cause it to become stuck\n ([linkerd2-proxy#2484] and [linkerd2-proxy#2486])\n* Added `INFO`-level logging to the proxy when endpoints are added or removed\n from a load balancer. These logs are enabled by default, and can be disabled\n by [setting the proxy log level][proxy-log-level] to\n `warn,linkerd=info,linkerd_proxy_balance=warn` or similar\n ([linkerd2-proxy#2486])\n* Fixed a regression where the proxy rendered `grpc_status` metric labels as a\n string rather than as the numeric status code ([linkerd2-proxy#2480]; fixes\n [#11449])\n* Extended `linkerd-jaeger`'s `imagePullSecrets` Helm value to also apply to\nthe `namespace-metadata` ServiceAccount ([#11504])\n* Updated the control plane's dependency on the `golang.google.org/grpc` Go\n package to include patches for [CVE-2023-44487]/GHSA-qppj-fm5r-hxr3 ([#11496])\n* Updated dependencies on `rustix` to include patches for GHSA-c827-hfw6-qwvm\n ([linkerd2-proxy#2488] and [#11512]).\n\n[#10590]: https://github.com/linkerd/linkerd2/issues/10590\n[#11279]: https://github.com/linkerd/linkerd2/issues/11279\n[#11491]: https://github.com/linkerd/linkerd2/pull/11491\n[#11449]: https://github.com/linkerd/linkerd2/issues/11449\n[#11480]: https://github.com/linkerd/linkerd2/issues/11480\n[#11504]: https://github.com/linkerd/linkerd2/issues/11504\n[#11512]: https://github.com/linkerd/linkerd2/issues/11512\n[linkerd2-proxy#2480]: https://github.com/linkerd/linkerd2-proxy/pull/2480\n[linkerd2-proxy#2484]: https://github.com/linkerd/linkerd2-proxy/pull/2484\n[linkerd2-proxy#2486]: https://github.com/linkerd/linkerd2-proxy/pull/2486\n[linkerd2-proxy#2488]: https://github.com/linkerd/linkerd2-proxy/pull/2488\n[proxy-log-level]: https://linkerd.io/2.14/tasks/modifying-proxy-log-level/\n[CVE-2023-44487]: https://github.com/advisories/GHSA-qppj-fm5r-hxr3\n\n## edge-23.10.2\n\nThis edge release includes a fix addressing an issue during upgrades for\ninstances not relying on automated webhook certificate management (like\ncert-manager provides).\n\n* Added a `checksum/config` annotation to the destination and proxy injector\n deployment manifests, to force restarting those workloads whenever their\n webhook secrets change during upgrade (thanks @iAnomaly!) ([#11440])\n* Fixed policy controller error when deleting a Gateway API HTTPRoute resource\n ([#11471])\n\n[#11440]: https://github.com/linkerd/linkerd2/pull/11440\n[#11471]: https://github.com/linkerd/linkerd2/pull/11471\n\n## edge-23.10.1\n\nThis edge release adds additional configurability to Linkerd's viz and\nmulticluster extensions.\n\n* Added a `podAnnotations` Helm value to allow adding additional annotations to\n the Linkerd-Viz Prometheus Deployment ([#11365]) (thanks @cemenson)\n* Added `imagePullSecrets` Helm values to the multicluster chart so that it can\n be installed in an air-gapped environment. ([#11285]) (thanks @lhaussknecht)\n\n[#11365]: https://github.com/linkerd/linkerd2/issues/11365\n[#11285]: https://github.com/linkerd/linkerd2/issues/11285\n\n## edge-23.9.4\n\nThis edge release makes Linkerd even better.\n\n* Added a controlPlaneVersion override to the `linkerd-control-plane` Helm chart\n to support including SHA256 image digests in Linkerd manifests (thanks\n @cromulentbanana!) ([#11406])\n* Improved `linkerd viz check` to attempt to validate that the Prometheus scrape\n interval will work well with the CLI and Web query parameters ([#11376])\n* Improved CLI error handling to print differentiated error information when\n versioncheck.linkerd.io cannot be resolved (thanks @dtaskai) ([#11377])\n* Fixed an issue where the destination controller would not update pod metadata\n for profile resolutions for a pod accessed via the host network (e.g.\n HostPort endpoints) ([#11334]).\n* Added a validating webhook config for httproutes.gateway.networking.k8s.io\n resources (thanks @mikutas!) ([#11150])\n* Introduced a new `multicluster check --timeout` flag to limit the time\n allowed for Kubernetes API calls (thanks @moki1202) ([#11420])\n\n[#11150]: https://github.com/linkerd/linkerd2/pull/11150\n[#11334]: https://github.com/linkerd/linkerd2/pull/11334\n[#11376]: https://github.com/linkerd/linkerd2/pull/11376\n[#11377]: https://github.com/linkerd/linkerd2/pull/11377\n[#11406]: https://github.com/linkerd/linkerd2/pull/11406\n[#11420]: https://github.com/linkerd/linkerd2/pull/11420\n\n## edge-23.9.3\n\nThis edge release updates the proxy's dependency on the `rustls` library to\npatch security vulnerability [RUSTSEC-2023-0052][RUSTSEC-2023-0052-0]\n(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when\nacceting a TLS handshake from an untrusted peer with a maliciously-crafted\ncertificate. Furthermore, this edge release contains a few improvements to the\ncontrol plane and jaeger extension Helm charts.\n\n* Addressed security vulnerability [RUSTSEC-2023-0052][RUSTSEC-2023-0052-0] in\n the proxy by updating its dependency on the `rustls` library\n* Added a `prometheusUrl` field for the heartbeat job in the control plane Helm\n chart (thanks @david972!) ([#11343]; fixes [#11342])\n* Introduced support for arbitrary labels in the `podMonitors` field in the\n control plane Helm chart (thanks @jseiser!) ([#11222]; fixes [#11175])\n* Added support for config merge and Deployment environment to\n `opentelemetry-collector` in the jaeger extension (thanks @iAnomaly!)\n ([#11283])\n\n[#11283]: https://github.com/linkerd/linkerd2/pull/11283\n[#11222]: https://github.com/linkerd/linkerd2/pull/11222\n[#11175]: https://github.com/linkerd/linkerd2/issues/11175\n[#11343]: https://github.com/linkerd/linkerd2/pull/11343\n[#11342]: https://github.com/linkerd/linkerd2/issues/11342\n[RUSTSEC-2023-0052-0]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html\n\n## edge-23.9.2\n\nThis edge release updates the proxy's dependency on the `webpki` library to\npatch security vulnerability [RUSTSEC-2023-0052] (GHSA-8qv2-5vq6-g2g7), a\npotential CPU usage denial-of-service attack when accepting a TLS handshake from\nan untrusted peer with a maliciously-crafted certificate.\n\n* Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy ([#11361])\n* Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods\n in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280])\n* Removed unnecessary `linkerd.io/helm-release-version` annotation from the\n `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes\n [#10778])\n\n[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html\n[#11295]: https://github.com/linkerd/linkerd2/pull/11295\n[#11280]: https://github.com/linkerd/linkerd2/issues/11280\n[#11361]: https://github.com/linkerd/linkerd2/pull/11361\n[#11329]: https://github.com/linkerd/linkerd2/pull/11329\n[#10778]: https://github.com/linkerd/linkerd2/issues/10778\n\n## edge-23.9.1\n\nThis edge release introduces a fix for service discovery on endpoints that use\nhostPorts. Previously, the destination service would return the pod IP for the\ndiscovery request which could break connectivity on pod restart. To fix this,\ndirect pod communication for a pod bound on a hostPort will always return the\nhostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)\ndetected in the CNI plugin and proxy-init images, and includes a number of other\nfixes and small improvements.\n\n* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin\n ([#11296])\n* Introduced resource requests/limits for the policy controller resource in the\n control plane helm chart ([#11301])\n* Fixed an issue where an empty `remoteDiscoverySelector` field in a\n multicluster link would cause all services to be mirrored ([#11309])\n* Removed time out from `linkerd multicluster gateways` command; when no\n metrics exist the command will return instantly ([#11265])\n* Improved help messaging for `linkerd multicluster link` ([#11265])\n* Changed how hostPort lookups are handled in the destination service.\n Previously, when doing service discovery for an endpoint bound on a hostPort,\n the destination service would return the corresponding pod IP. On pod\n restart, this could lead to loss of connectivity on the client's side. The\n destination service now always returns host IPs for service discovery on an\n endpoint that uses hostPorts ([#11328])\n* Updated HTTPRoute webhook rule to validate all apiVersions of the resource\n (thanks @mikutas!) ([#11149])\n* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd\n inject` (thanks @mikutas!) ([#10231])\n\n[#11309]: https://github.com/linkerd/linkerd2/issues/11309\n[#11296]: https://github.com/linkerd/linkerd2/discussions/11296\n[#11328]: https://github.com/linkerd/linkerd2/pull/11328\n[#11301]: https://github.com/linkerd/linkerd2/issues/11301\n[#11265]: https://github.com/linkerd/linkerd2/pull/11265\n[#11149]: https://github.com/linkerd/linkerd2/pull/11149\n[#10231]: https://github.com/linkerd/linkerd2/issues/10231\n\n## stable-2.14.0\n\nThis release introduces direct pod-to-pod multicluster service mirroring. When\nclusters are deployed on a flat network, Linkerd can export multicluster\nservices in a way where cross-cluster traffic does not need to go through the\ngateway. This enhances multicluster authentication and can reduce the need for\nprovisioning public load balancers.\n\nIn addition, this release adds support for the\n[Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoute resource (in the\n`gateway.networking.k8s.io` api group). This improves compatibility with other\ntools that use these resources such as [Flagger](https://flagger.app/) and\n[Argo Rollouts](https://argoproj.github.io/rollouts/). The release also includes\na large number of features and improvements to HTTPRoute including the ability\nto set timeouts and the ability to define consumer-namespace HTTPRoutes.\n\nFinally, this release includes a number of bugfixes, performance improvements,\nand other smaller additions.\n\n**Upgrade notes**: Please see the\n[upgrade instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2140).\n\n* Multicluster\n * Remove namespace field from cluster scoped resources to fix pruning\n * Added -o json flag for the `linkerd multicluster gateways` command (thanks\n @hiteshwani29)\n * Introduced `logFormat` value to the multicluster `Link` Helm Chart (thanks\n @bunnybilou!)\n * Added leader-election capabilities to the service-mirror controller\n * Added high-availability (HA) mode for the multicluster service-mirror\n * Added a new `remoteDiscoverySelector` field to the multicluster `Link` CRD,\n which enables a service mirroring mode where the control plane\n performs discovery for the mirrored service from the remote cluster, rather\n than creating Endpoints for the mirrored service in the source cluster\n* HTTPRoute\n * Fixed `linkerd uninstall` issue for HTTPRoute\n * Added support for `gateway.networking.k8s.io` HTTPRoutes in the policy\n controller\n * Added support for RequestHeaderModifier and RequestRedirect HTTP filters in\n outbound policy; filters may be added at the route or backend level\n * Added support for the `ResponseHeaderModifier` HTTPRoute filter\n * Added support for HTTPRoutes defined in the consumer namespace\n * Added support for HTTPRoute `parent_refs` that do not specify a port\n* CRDs\n * Patched the MeshTLSAuthentication CRD to force providing at least one\n identity/identityRef\n* Control Plane\n * Send Opaque protocol hint for opaque ports in destination controller\n * Replaced deprecated `failure-domain.beta.kubernetes.io/zone` labels in Helm\n charts with `topology.kubernetes.io/zone` labels (thanks @piyushsingariya!)\n * Replaced `server_port_subscribers` Destination controller gauge metric with\n `server_port_subscribes` and `server_port_unsubscribes` counter metrics\n* Proxy\n * Handle Opaque protocol hints on endpoints\n * Added `outbound_http_balancer_endpoints` metric\n * Fixed missing route_ metrics for requests with ServiceProfiles\n * Fixed proxy startup failure when using the `config.linkerd.io/admin-port`\n annotation (thanks @jclegras!)\n * Added distinguishable version information to proxy logs and metrics\n* CLI\n * The `linkerd diagnostics policy` command now displays outbound policy when\n the target resource is a Service\n * A fix for HA validation checks when Linkerd is installed with Helm. Thanks\n @mikutas!!\n* Viz\n * Add the `kubelet` NetworkAuthentication back since it is used by the\n `linkerd viz allow-scrapes` subcommand.\n * Fixed the `linkerd viz check` command so that it will wait until the viz\n extension becomes ready\n * Fixed an issue where specifying a `remote_write` config would cause the\n Prometheus config to be invalid (thanks @hiteshwani29)\n * Improved validation of the `--to` and `--from` flags for the `linkerd viz stat`\n command (thanks @pranoyk)\n * Added `-o jsonpath` flag to `linkerd viz tap` to allow filtering output fields\n (thanks @hiteshwani29!)\n * Fixed a Grafana error caused by an incorrect datasource (thanks @albundy83!)\n * Fixed missing \"Services\" menu item in the Spanish localization for the\n `linkerd-viz` web dashboard (thanks @mclavel!)\n* Extensions\n * Added missing label `linkerd.io/extension` to certain resources to ensure they\n pruned when appropriate (thanks @ClementRepo)\n * Added tolerations and nodeSelector support in extensions `namespace-metadata`\n Jobs (thanks @pssalman!)\n* Init Containers\n * Added an option for disabling the network validator's security context for\n environments that provide their own\n* CNI\n * Added --set flag to install-cni plugin (thanks @amit-62!)\n * Fixed missing resource-cni labels on linkerd-cni, this blocked the\n linkerd-cni pods from coming up when the injector was broken (thanks\n @migueleliasweb!)\n* Build\n * Build improvements for multi-arch build artifacts. Thanks @MarkSRobinson!!\n\nThis release includes changes from a massive list of contributors! A special\nthank-you to everyone who helped make this release possible:\n\n* Amir Karimi @AMK9978\n* Amit Kumar @amit-62\n* Andre Marcelo-Tanner @kzap\n* Andrew @andrew-gropyus\n* Arnaud Beun @bunnybilou\n* Clement @proxfly\n* Dima @krabradosty\n* Grégoire Bellon-Gervais @albundy83\n* Harsh Soni @harsh020\n* Jean-Charles Legras @jclegras\n* Loong Dai @daixiang0\n* Mark Robinson @MarkSRobinson\n* Miguel Elias dos Santos @migueleliasweb\n* Pranoy Kumar Kundu @pranoyk\n* Ryan Hristovski @ryanhristovski\n* Takumi Sue @mikutas\n* Zakhar Bessarab @zekker6\n* hiteshwani29 @hiteshwani29\n* pheianox\n* pssalman @pssalman\n\n## edge-23.8.3\n\nThis is a release candidate for stable-2.14.0; we encourage you to help trying\nit out!\n\nThis edge release contains a number of improvements over the multi-cluster\nfeatures introduced in the last edge release supporting flat networks. It also\nhardens the containers security stance by removing write access to the root\nfilesystem.\n\n* Enhanced `linkerd multicluster link` to allow clusters to be linked without a\n gateway ([#11226])\n* Added cluster store size gauge metric ([#11256])\n* Disabled local traffic policy for remote discovery ([#11257])\n* Fixed various innocuous multi-cluster warnings ([#11251], [#11246], [#11253])\n* Set `readOnlyRootFilesystem: true` in all the containers, as they don't\n require write permissions ([#11221]; fixes [#11142]) (thanks @mikutas!)\n\n[#11226]: https://github.com/linkerd/linkerd2/pull/11226\n[#11256]: https://github.com/linkerd/linkerd2/pull/11256\n[#11257]: https://github.com/linkerd/linkerd2/pull/11257\n[#11251]: https://github.com/linkerd/linkerd2/pull/11251\n[#11246]: https://github.com/linkerd/linkerd2/pull/11246\n[#11253]: https://github.com/linkerd/linkerd2/pull/11253\n[#11221]: https://github.com/linkerd/linkerd2/pull/11221\n[#11142]: https://github.com/linkerd/linkerd2/issues/11142\n\n## edge-23.8.2\n\nThis edge release adds improvements to Linkerd's multi-cluster features as part\nof the [flat network support] planned for Linkerd stable-2.14.0. In addition, it\nfixes an issue ([#10764]) where warnings about an invalid metric were logged\nfrequently by the Destination controller.\n\n* Added a new `remoteDiscoverySelector` field to the multicluster `Link` CRD,\n which enables a service mirroring mode where the control plane\n performs discovery for the mirrored service from the remote cluster, rather\n than creating Endpoints for the mirrored service in the source cluster\n ([#11190], [#11201], [#11220], and [#11224])\n* Fixed missing \"Services\" menu item in the Spanish localization for the\n `linkerd-viz` web dashboard ([#11229]) (thanks @mclavel!)\n* Replaced `server_port_subscribers` Destination controller gauge metric with\n `server_port_subscribes` and `server_port_unsubscribes` counter metrics\n ([#11206]; fixes [#10764])\n* Replaced deprecated `failure-domain.beta.kubernetes.io/zone` labels in Helm\n charts with `topology.kubernetes.io/zone` labels ([#11148]; fixes [#11114])\n (thanks @piyushsingariya!)\n\n[#10764]: https://github.com/linkerd/linkerd2/issues/10764\n[#11114]: https://github.com/linkerd/linkerd2/issues/11114\n[#11148]: https://github.com/linkerd/linkerd2/issues/11148\n[#11190]: https://github.com/linkerd/linkerd2/issues/11190\n[#11201]: https://github.com/linkerd/linkerd2/issues/11201\n[#11206]: https://github.com/linkerd/linkerd2/issues/11206\n[#11220]: https://github.com/linkerd/linkerd2/issues/11220\n[#11224]: https://github.com/linkerd/linkerd2/issues/11224\n[#11229]: https://github.com/linkerd/linkerd2/issues/11229\n[flat network support]: https://linkerd.io/2023/07/20/enterprise-multi-cluster-at-scale-supporting-flat-networks-in-linkerd/\n\n## edge-23.8.1\n\nThis edge release restores a proxy setting for it to shed load less aggressively\nwhile under high load, which should result in lower error rates (see #11055). It\nalso removes the usage of host networking in the linkerd-cni extension.\n\n* Changed the default HTTP request queue capacities for the inbound and outbound\n proxies back to 10,000 requests (see #11055 and #11198)\n* Lifted need of using host networking in the linkerd-cni Daemonset (#11141)\n (thanks @abhijeetgauravm!)\n\n## edge-23.7.3\n\nThis edge release improves Linkerd's support for HttpRoute by allowing\n`parent_ref` ports to be optional, allowing HttpRoutes to be defined in a\nconsumer's namespace, and adding support for the `ResponseHeaderModifier` filter.\nIt also fixes a panic in the destination controller.\n\n* Added an option for disabling the network validator's security context for\n environments that provide their own\n* Added high-availability (HA) mode for the multicluster service-mirror\n* Added support for HttpRoute `parent_refs` that do not specify a port\n* Fixed a Grafana error caused by an incorrect datasource (thanks @albundy83!)\n* Added support for HttpRoutes defined in the consumer namespace\n* Improved the granularity of logging levels in the control plane\n* Fixed a race condition in the destination controller that could cause it to\n panic\n* Added support for the `ResponseHeaderModifier` HttpRoute filter\n* Updated extension CLI commands to prefer the `--register` flag over the\n `LINKERD_DOCKER_REGISTRY` environment variable, making the precedence more\n consistent (thanks @harsh020!)\n\n## edge-23.7.2\n\nThis edge release introduces support for HTTP filters configured through both\n`policy.linkerd.io` and `gateway.networking.k8s.io` HTTPRoute resources.\nCurrently, RequestHeaderModifier and RequestRedirect HTTP filters are\nsupported. Additionally, this release fixes an issue with the linkerd-cni\nchart.\n\n* Added support for RequestHeaderModifier and RequestRedirect HTTP filters in\n outbound policy; filters may be added at the route or backend level\n* Fixed missing resource-cni labels on linkerd-cni, this blocked the\n linkerd-cni pods from coming up when the injector was broken (thanks\n @migueleliasweb!)\n\n## edge-23.7.1\n\nThis edge release adds support for the upstream `gateway.networking.k8s.io`\nHTTPRoute resource (in addition to the `policy.linkerd.io` CRD installed by\nLinkerd). Furthermore, it fixes a bug where the ingress-mode proxy would fail to\nfall back to ServiceProfiles for destinations without HTTPRoutes.\n\n* Added support for `gateway.networking.k8s.io` HTTPRoutes in the policy\n controller\n* Added distinguishable version information to proxy logs and metrics\n* Fixed incorrect handling of `NotFound` client policies in ingress-mode proxies\n\n## edge-23.6.3\n\nThis edge release adds leader-election capabilities to the service-mirror\ncontroller under the hood, as a precursor to HA mode in an upcoming release. It\nalso includes a `linkerd viz tap` improvement and a proxy startup bugfix, both\ncontributed by the community!\n\n* Added leader-election capabilities to the service-mirror controller\n* Added `-o jsonpath` flag to `linkerd viz tap` to allow filtering output fields\n (thanks @hiteshwani29!)\n* Fixed proxy startup failure when using the `config.linkerd.io/admin-port`\n annotation (thanks @jclegras!)\n\n## edge-23.6.2\n\nThis edge release introduces timeout capabilities for HTTPRoutes in a manner\ncompatible with the proposed changes to HTTPRoute in\n[kubernetes-sigs/gateway-api#1997](https://github.com/kubernetes-sigs/gateway-api/pull/1997).\n\nThis release also includes several small improvements and fixes:\n\n* A fix for HA validation checks when Linkerd is installed with Helm. Thanks\n@mikutas!!\n* Build improvements for multi-arch build artifacts. Thanks @MarkSRobinson!!\n\n## edge-23.6.1\n\nThis edge release changes the behavior of the CNI plugin to run exclusively in\n\"chained mode\". Instead of creating its own configuration file, the CNI plugin\nwill now wait until a `conf` file exists before appending its configuration.\nAdditionally, this change includes a bug fix for topology aware service\nrouting.\n\n* Changed the CNI plugin installer to always run in 'chained' mode; the plugin will\n now wait until another CNI plugin is installed before appending its\n configuration\n* Fixed bug where topology routing would not disable while service was under\n load (thanks @MarkSRobinson!)\n* Introduced `logFormat` value to the multicluster `Link` Helm Chart (thanks\n @bunnybilou!)\n\n## edge-23.5.3\n\nThis edge release includes fixes for several bugs related to HTTPRoute handling.\n\n* Fixed an issue where the `namespace` field on HTTPRoute `backendRef`s was\n ignored, and the backend Service would always be assumed to be in the\n namespace as the parent Service\n* Fixed an issue where default authorizations generated for readiness and\n liveness probes would fail if the probe path included URI query parameters\n* Fixed the proxy not using gRPC response classification for gRPC requests to\n destinations without ServiceProfiles\n\n## edge-23.5.2\n\nThis edge release adds some minor improvements in the MeshTLSAuthentication CRD\nand the extensions charts, and fixes an issue with `linkerd multicluster check`.\n\n* Added tolerations and nodeSelector support in extensions `namespace-metadata`\n Jobs (thanks @pssalman!)\n* Patched the MeshTLSAuthentication CRD to force providing at least one\n identity/identityRef\n* Fixed the `linkerd multicluster check` command failing in the presence of lots\n of mirrored services\n\n## edge-23.5.1\n\nThis edge release introduces the ability to configure the proxy's discovery cache\ntimeouts via annotations. While most users will not need to do this, it can be\nuseful to improve the mesh's resilience to control plane failures. This release\nalso includes a number of other important improvements and bug fixes.\n\n* Added -o json flag for the `linkerd multicluster gateways` command (thanks\n @hiteshwani29)\n* Added missing label `linkerd.io/extension` to certain resources to ensure they\n pruned when appropriate (thanks @ClementRepo)\n* Fixed a memory leak in the service mirror controller\n* Improved validation of the `--to` and `--from` flags for the `linkerd viz stat`\n command (thanks @pranoyk)\n* Fixed an issue with W3C trace context propagation which caused proxy spans to\n be siblings rather than children of their original parent (thanks\n @whiskeysierra)\n* Updated the Linkerd CNI plugin base docker image from Debian to Alpine\n* Fixed an issue where specifying a `remote_write` config would cause the\n Prometheus config to be invalid (thanks @hiteshwani29)\n* Added the ability to configure the proxy's discovery cache timeouts with the\n `config.linkerd.io/proxy-outbound-discovery-cache-unused-timeout` and\n `config.linkerd.io/proxy-inbound-discovery-cache-unused-timeout` annotations\n* Fixed the `linkerd viz check` command so that it will wait until the viz\n extension becomes ready\n* Fixed an issue where meshed pods could not communicate with themselves through\n a ClusterIP Service\n\n## edge-23.4.3\n\nThis edge release improves compatibility with ArgoCD by changing the Linkerd\ncontrol plane to create Lease resources at runtime rather than including them\nin the Helm chart. It also addresses a CVE by upgrading an underlying\ndependency.\n\n* Upgraded `h2` dependency to address CVE-2023-26964\n* Fixed an issue where `server_port_subscribers` metric in the Destination\n controller was sometimes absent\n* Removed the policy-controller-write Lease from the control plane Helm chart in\n favor of creating it at runtime\n* Updated the proxy-injector to pass opaque port lists to the proxy as ranges\n rather than individually, greatly reducing the size of proxy manifests when\n large opaque port ranges are set\n* Fixed an issue where the proxy was performing protocol detection on ports\n marked as opaque\n* Improved backwards compatibility between 2.13 proxies and 2.12 control planes\n\n## edge-23.4.2\n\nThis edge release contains a number of bug fixes.\n\n* CLI\n * Fixed `linkerd uninstall` issue for HttpRoute\n * The `linkerd diagnostics policy` command now displays outbound policy when\n the target resource is a Service\n\n* CNI\n * Fixed incompatibility issue with AWS CNI addon in EKS, that was\n forbidding pods to acquire networking after scaling up nodes.\n (thanks @frimik!)\n * Added --set flag to install-cni plugin (thanks @amit-62!)\n\n* Control Plane\n * Fixed an issue where the policy controller always used the default\n `cluster.local` domain\n * Send Opaque protocol hint for opaque ports in destination controller\n\n* Helm\n * Fixed an issue in the viz Helm chart where the namespace metadata template\n would throw `unexpected argument found` errors\n * Fixed Jaeger chart installation failure\n\n* Multicluster\n * Remove namespace field from cluster scoped resources to fix pruning\n\n* Proxy\n * Updated `h2` dependency to include a patch for a theoretical\n denial-of-service vulnerability discovered in CVE-2023-26964\n * Handle Opaque protocol hints on endpoints\n * Changed the proxy's default log level to silence warnings from\n `trust_dns_proto` that are generally spurious.\n * Added `outbound_http_balancer_endpoints` metric\n * Fixed missing route_ metrics for requests with ServiceProfiles\n\n* Viz\n * Bump prometheus image to v2.43.0\n * Add the `kubelet` NetworkAuthentication back since it is used by the\n`linkerd viz allow-scrapes` subcommand.\n\n## stable-2.13.1\n\nThis stable release fixes an issue in the policy controller where a non-default\ncluster domain would return incorrect authorities in the outbound policy API.\nAdditionally, this release updates a proxy dependency to fix CVE-2023-2694.\n\n* Proxy\n * Updated `h2` dependency to include a patch for a theoretical\n denial-of-service vulnerability discovered in CVE-2023-26964\n\n* Control Plane\n * Fixed an issue where the policy controller always used the default\n `cluster.local` domain\n\n* Helm\n * Fixed an issue in the viz Helm chart where the namespace metadata template\n would throw `unexpected argument found` errors\n\n## stable-2.13.0\n\nThis release introduces client-side policy to Linkerd, including dynamic routing\nand circuit breaking. [Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoutes\ncan now be used to configure policy for outbound (client) proxies as well as\ninbound (server) proxies, by creating HTTPRoutes with Service resources as their\n`parentRef`. See the Linkerd documentation for tutorials on [dynamic request\nrouting] and [circuit breaking]. New functionality for debugging HTTPRoute-based\npolicy is also included in this release, including [new proxy metrics] and the\nability to display outbound policies in the `linkerd diagnostics policy` CLI\ncommand.\n\nIn addition, this release adds `network-validator`, a new init container to be\nused when CNI is enabled. `network-validator` ensures that local iptables rules\nare working as expected. It will validate this before linkerd-proxy starts.\n`network-validator` replaces the `noop` container, runs as `nobody`, and drops\nall capabilities before starting.\n\nFinally, this release includes a number of bugfixes, performance improvements,\nand other smaller additions.\n\n**Upgrade notes**: Please see the [upgrade instructions][upgrade-2130].\n\n* CRDs\n * HTTPRoutes may now have Service parents, to configure outbound policy\n * Updated HTTPRoute version from `v1alpha1` to `v1beta2`\n\n* CLI\n * Added a new `linkerd prune` command to the CLI (including most extensions) to\n remove resources which are no longer part of Linkerd's manifests\n * Added additional shortnames for Linkerd policy resources (thanks @javaducky!)\n * The `linkerd diagnostics policy` command now displays outbound policy when\n the target resource is a Service\n\n* Control Plane\n * The policy controller now discovers outbound policy configurations from\n HTTPRoutes that target Services.\n * Added OutboundPolicies API, for use by `linkerd-proxy` to route\n outbound traffic\n * Added Prometheus `/metrics` endpoint to the admin server, with process\n metrics\n * Fixed QueryParamMatch parsing for HTTPRoutes\n * Added the policy status controller which writes the `status` field to\n HTTPRoutes when a parent reference Server accepts or rejects it\n * Added KubeAPI server ports to `ignoreOutboundPorts` of `proxy-injector`\n * No longer apply `waitBeforeExitSeconds` to control plane, viz and jaeger\n extension pods\n * Added support for the `internalTrafficPolicy` of a service (thanks @yc185050!)\n * Added block chomping to strip trailing new lines in ConfigMap (thanks @avdicl!)\n * Added protection against nil dereference in resources helm template\n * Added support for Pod Security Admission (Pod Security Policy resources are\n still supported but disabled by default)\n * Lowered non-actionable error messages in the Destination log to debug-level\n entries to avoid triggering false alarms (thanks @siddharthshubhampal!)\n * Fixed an issue with EndpointSlice endpoint reconciliation on slice deletion;\n when using more than one slice, a `NoEndpoints` event would be sent to the\n proxy regardless of the amount of endpoints that were still available\n (thanks @utay!)\n * Improved diagnostic log messages\n * Fixed sending of spurious profile updates\n * Removed unnecessary Namespaces access from the destination controller RBAC\n * Added the server_port_subscribers metric to track the number of subscribers\n to Server changes associated with a pod's port\n * Added the service_subscribers metric to track the number of subscribers to\n Service changes\n * Fixed a small memory leak in the opaque ports watcher\n\n* Proxy\n * Use the new OutboundPolicies API, supporting Gateway API-style routes\n in the outbound proxy\n * Added support for dynamic request routing based on HTTPRoutes\n * Added HTTP circuit breaking\n * Added `outbound_route_backend_http_requests_total`,\n `outbound_route_backend_grpc_requests_total`, and\n `outbound_http_balancer_endpoints` metrics\n * Changed the proxy's behavior when traffic splitting so that only services\n that are not in failfast are used. This will enable the proxy to manage\n failover without external coordination\n * Updated tokio (async runtime) in the proxy which should reduce CPU usage,\n especially for proxy's pod local (i.e in the same network namespace)\n communication\n\n* linkerd-proxy-init\n * Changed `proxy-init` iptables rules to be idempotent upon init pod\n restart (thanks @jim-minter!)\n * Improved logging in `proxy-init` and `linkerd-cni`\n * Added a `proxyInit.privileged` setting to control whether the `proxy-init`\n initContainer runs as a privileged process\n\n* CNI\n * Added static and dynamic port overrides for CNI eBPF to work with socket-level\n load balancing\n * Added `network-validator` init container to ensure that iptables rules are\n working as expected\n * Added a `resources` field in the linkerd-cni chart (thanks @jcogilvie!)\n\n* Viz\n * Added `tap.ignoredHeaders` Helm value to the linkerd-viz chart. This value\n allows users to specify a comma-separated list of header names which will be\n ignored by Linkerd Tap (thanks @ryanhristovski!)\n * Removed duplicate SecurityContext in Prometheus manifest\n * Added new flag `--viz-namespace` which avoids requiring permissions for\n listing all namespaces in `linkerd viz` subcommands (thanks @danibaeyens!)\n * Removed the TrafficSplit page from the Linkerd viz dashboard (thanks\n @h-dav!)\n * Introduced new values in the `viz` chart to allow for arbitrary annotations\n on the `Service` objects (thanks @sgrzemski!)\n * Added an optional AuthorizationPolicy to authorize Grafana to Prometheus\n in the Viz extension\n\n* Multicluster\n * Removed duplicate AuthorizationPolicy for probes from the multicluster\n gateway Helm chart\n * Updated wording for linkerd-multicluster cluster when it fails to probe a\n remote gateway mirror\n * Added multicluster gateway `nodeSelector` and `tolerations` helm parameters\n * Added new configuration options for the multicluster gateway:\n * `gateway.deploymentAnnotations`\n * `gateway.terminationGracePeriodSeconds` (thanks @bunnybilou!)\n * `gateway.loadBalancerSourceRanges` (thanks @Tyrion85!)\n\n* Extensions\n * Removed dependency on the `curlimages/curl` 3rd-party image used to initialize\n extensions namespaces metadata (so they are visible by `linkerd check`),\n replaced by the new `extension-init` image\n * Converted `ServerAuthorization` resources to `AuthorizationPolicy` resources\n in Linkerd extensions\n * Removed policy resources bound to admin servers in extensions (previously\n these resources were used to authorize probes but now are authorized by\n default)\n * Fixed the link to the Jaeger dashboard the in viz dashboard (thanks\n @eugenegoncharuk!)\n * Updated linkerd-jaeger's collector to expose port 4318 in order support HTTP\n alongside gRPC (thanks @uralsemih!)\n\n* Among other dependency updates, the no-longer maintained ghodss/yaml library\n was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)\n\nThis release includes changes from a massive list of contributors! A special\nthank-you to everyone who helped make this release possible:\n\n* Andrew Pinkham [@jambonrose](https://github.com/jambonrose)\n* Arnaud Beun [@bunnybilou](https://github.com/bunnybilou)\n* Carlos Tadeu Panato Junior [@cpanato](https://github.com/cpanato)\n* Christian Segundo [@someone-stole-my-name](https://github.com/someone-stole-my-name)\n* Dani Baeyens [@danibaeyens](https://github.com/danibaeyens)\n* Duc Tran [@ductnn](https://github.com/ductnn)\n* Eng Zer Jun [@Juneezee](https://github.com/Juneezee)\n* Ivan Ivic [@Tyrion85](https://github.com/Tyrion85)\n* Joe Bowbeer [@joebowbeer](https://github.com/joebowbeer)\n* Jonathan Ogilvie [@jcogilvie](https://github.com/jcogilvie)\n* Jun [@junnplus](https://github.com/junnplus)\n* Loong Dai [@daixiang0](https://github.com/daixiang0)\n* María Teresa Rojas [@mtrojas](https://github.com/mtrojas)\n* Mo Sattler [@MoSattler](https://github.com/MoSattler)\n* Oleg Vorobev [@olegy2008](https://github.com/olegy2008)\n* Paul Balogh [@javaducky](https://github.com/javaducky)\n* Peter Smit [@psmit](https://github.com/psmit)\n* Ryan Hristovski [@ryanhristovski](https://github.com/ryanhristovski)\n* Semih Ural [@uralsemih](https://github.com/uralsemih)\n* Shubhodeep Mukherjee [@shubhodeep9](https://github.com/shubhodeep9)\n* Siddharth S Pal [@siddharthshubhampal](https://github.com/siddharthshubhampal)\n* Subhash Choudhary [@subhashchy](https://github.com/subhashchy)\n* Szymon Grzemski [@sgrzemski](https://github.com/sgrzemski)\n* Takumi Sue [@mikutas](https://github.com/mikutas)\n* Yannick Utard [@utay](https://github.com/utay)\n* Yu Cao [@yc185050](https://github.com/yc185050)\n* anoxape [@anoxape](https://github.com/anoxape)\n* bastienbosser [@bastienbosser](https://github.com/bastienbosser)\n* bitfactory-sem-denbroeder [@bitfactory-sem-denbroeder](https://github.com/bitfactory-sem-denbroeder)\n* cui fliter [@cuishuang](https://github.com/cuishuang)\n* eugenegoncharuk [@eugenegoncharuk](https://github.com/eugenegoncharuk)\n* h-dav @[h-dav](https://github.com/h-dav)\n* martinkubrak [@martinkubra](https://github.com/martinkubra)\n* verbotenj [@verbotenj](https://github.com/verbotenj)\n* ziollek [@ziollek](https://github.com/ziollek)\n\n[dynamic request routing]: https://linkerd.io/2.13/tasks/configuring-dynamic-request-routing\n[circuit breaking]: https://linkerd.io/2.13/tasks/circuit-breakers\n[new proxy metrics]: https://linkerd.io/2.13/reference/proxy-metrics/#outbound-xroute-metrics\n[upgrade-2130]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2130\n\n## edge-23.4.1\n\nThis is a release candidate for stable-2.13.0 — we encourage you to help\ntry it out!\n\nThis edge release introduces request-level HTTP circuit-breaking\nusing a consecutive failures failure accrual policy. Circuit breaking can be\nconfigured by adding failure accrual annotations to a Service. In addition, this\nrelease adds new `outbound_route_backend_http_requests_total` and\n`outbound_route_backend_grpc_requests_total` proxy metrics, which can be\nused to track how routing rules and backend distributions apply to\nrequests. These metrics contain labels describing the route's parent\n(i.e. a Service), the route resource being used, and the backend\nresource being used by each request.\n\n* Proxy\n * Added discovery of failure accrual policies from the OutboundPolicy API\n * Implemented consecutive failures failure accrual policy\n * Added INFO-level logging on failure accrual changes\n * Added `outbound_route_backend_http_requests_total` and\n `outbound_route_backend_grpc_requests_total` metrics\n\n* Policy Controller\n * Added failure accrual configuration to the OutboundPolicy API\n * Added Prometheus `/metrics` endpoint to the admin server, with process\n metrics\n * Changed the policy controller to only accept HTTPRoutes when the parentRef\n is a ClusterIP Service\n * Added ports to service references in the OutboundPolicy API\n\n* Viz\n * Added `tap.ignoredHeaders` Helm value to the linkerd-viz chart. This value\n allows users to specify a comma-separated list of header names which will be\n ignored by Linkerd Tap (thanks @ryanhristovski!)\n * Removed duplicate SecurityContext in Prometheus manifest\n\n* Multicluster\n * Removed duplicate AuthorizationPolicy for probes from the multicluster\n gateway Helm chart\n\n## edge-23.3.4\n\nThis edge release further enhances the OutboundPolicies API used by the proxy to\nroute outbound traffic, and continues extending the HTTPRoute resource's Status\nfield. It also starts integrating circuit-breaking functionality into the proxy,\nwhich will be configurable in a subsequent iteration.\n\n* Continued iterating on the HTTPRoute's Status field, by extending support for\n routes parented to Services, and adding a ResolvedRefs condition reflecting\n the status of BackendRefs\n* Updated the OutboundPolicies API such that only HTTPRoutes with an Accepted\n status of `true` are considered when routing outbound requests\n* Improved handling of invalid backends, allowing the configuration of error\n responses\n* Added new flag `--viz-namespace` which avoids requiring permissions for\n listing all namespaces in `linkerd viz` subcommands (thanks @danibaeyens!)\n* Among other dependency updates, the no-longer maintained ghodss/yaml library\n was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)\n\n## edge-23.3.3\n\nThis edge release removes TrafficSplits from the Linkerd dashboard as well as\nfixing a number of issues in the policy controller.\n\n* Removed the TrafficSplit page from the Linkerd viz dashboard\n* Fixed an issue where the policy controller was not returning the correct\n status for non-Service authorities\n* Fixed an issue where the policy controller could use large amounts of CPU\n when lease API calls failed\n\n## edge-23.3.2\n\nThis edge release continues to improve dynamic Policy statuses and\nintroduces support for header-based routing.\n\n* Destination Controller\n * Added OutboundPolicies API, for use by `linkerd-proxy` to route\n outbound traffic\n * Improved diagnostic log messages\n * Fixed sending of spurious profile updates\n\n* Proxy\n * Use the new OutboundPolicies API, supporting Gateway API-style routes\n in the outbound proxy\n\n* Policy Controller\n * Support highly available Policy Controller by utilizing\n `policy-controller-write` Lease when patching HTTPRoutes\n * Consider the `status` field and filter out HTTPRoutes which have not\n been accepted\n\n* Added KubeAPI server ports to `ignoreOutboundPorts` of `proxy-injector`\n* Updated HTTPRoute version from `v1alpha1` to `v1beta2`\n* Updated `network-validator` helm charts to use `proxy-init` resources\n* Fixed Grafana regular expression, enabling monitoring of filesystem\n usage (thanks @h-dav!)\n\n## edge-23.3.1\n\nThis edge release continues to build support under the hood for the upcoming\nfeatures in 2.13. Also included are several dependency updates and less verbose\nlogging.\n\n* Removed dependency on the `curlimages/curl` 3rd-party image used to initialize\n extensions namespaces metadata (so they are visible by `linkerd check`),\n replaced by the new `extension-init` image\n* Lowered non-actionable error messages in the Destination log to debug-level\n entries to avoid triggering false alarms (thanks @siddharthshubhampal!)\n\n## edge-23.2.3\n\nThis edge release includes a number of fixes and introduces a new CLI command,\n`linkerd prune`. The new `prune` command should be used to remove resources\nwhich are no longer part of the Linkerd manifest when doing an upgrade.\nPreviously, the recommendation was to use `linkerd upgrade` in conjunction with\n`kubectl apply --prune`, however, that will not remove resources which are not\npart of the input manifest, and it will not detect cluster scoped resources,\n`linkerd prune` (included in all core extensions) should be preferred over it.\n\nAdditionally, this change contains a few fixes from our external contributors,\nand a change to the `viz` Helm chart which allows for arbitrary annotations on\n`Service` objects. Last but not least, the release contains a few proxy\ninternal changes to prepare for the new client policy API.\n\n* Added a new `linkerd prune` command to the CLI (including extensions) to\n remove resources which are no longer part of Linkerd's manifests\n* Introduced new values in the `viz` chart to allow for arbitrary annotations\n on the `Service` objects (thanks @sgrzemski!)\n* Fixed up a comment in k8s API wrapper (thanks @ductnn!)\n* Fixed an issue with EndpointSlice endpoint reconciliation on slice deletion;\n when using more than one slice, a `NoEndpoints` event would be sent to the\n proxy regardless of the amount of endpoints that were still available (thanks\n @utay!)\n\n## edge-23.2.2\n\nThis edge release adds the policy status controller which writes the `status`\nfield to HTTPRoutes when a parent reference Server accepts or rejects the\nHTTPRoute. This field is currently not consumed by the policy controller, but\nacts as the first step for considering HTTPRoute `status` when serving policy.\n\nAdditionally, the destination controller now uses the Kubernetes metadata API\nfor resources which it only needs to track the metadata for — Nodes and\nReplicaSets. For all other resources it tracks, it uses additional information\nso continues to use the API as before.\n\n* Fixed error message to include the colliding Server in the policy controller's\n admission webhook validation\n* Updated wording for linkerd-multicluster cluster when it fails to probe a\n remote gateway mirror\n* Removed unnecessary Namespaces access from the destination controller RBAC\n* Added Kubernetes metadata API in the destination controller for watching Nodes\n and ReplicaSets\n* Fixed QueryParamMatch parsing for HTTPRoutes\n* Added the policy status controller which writes the `status` field to\n HTTPRoutes when a parent reference Server accepts or rejects it\n\n## edge-23.2.1\n\nThis edge release sees the `linkerd-cni` plugin moved to\n`linkerd2-proxy-init` and released from that repository. An iptables\nimprovement to `linkerd-cni` and `proxy-init` is the main focus. Other\nminor fixes are also included.\n\n* Changed `proxy-init` iptables rules to be idempotent upon init pod\n restart (thanks @jim-minter!)\n* Improved logging in `proxy-init` and `linkerd-cni`\n* Added the server_port_subscribers metric to track the number of subscribers\n to Server changes associated with a pod's port\n* Added the service_subscribers metric to track the number of subscribers to\n Service changes\n* Fixed a small memory leak in the opaque ports watcher\n* No longer apply `waitBeforeExitSeconds` to control plane, viz and jaeger\n extension pods\n* Added support for the `internalTrafficPolicy` of a service (thanks @yc185050!)\n* Added `limits` and `requests` to network-validator for ResourceQuota interop\n* Added block chomping to strip trailing new lines in ConfigMap (thanks @avdicl!)\n* Added multicluster gateway `nodeSelector` and `tolerations` helm parameters\n* Added protection against nil dereference in resources helm template\n\n## edge-23.1.2\n\nThis edge release fixes a memory leak in the Linkerd control plane that could\noccur when many many pods were created. It also adds a number of new\nconfiguration options Multicluster extension's gateway.\n\n* Added additional shortnames for Linkerd policy resources (thanks @javaducky!)\n* Added new configuration options for the multicluster gateway:\n * `gateway.deploymentAnnotations`\n * `gateway.terminationGracePeriodSeconds` (thanks @bunnybilou!)\n * `gateway.loadBalancerSourceRanges` (thanks @Tyrion85!)\n* Added an optional AuthorizationPolicy to authorize Grafana to Prometheus\n in the Viz extension\n* Fixed the link to the Jaeger dashboard the in viz dashboard (thanks @eugenegoncharuk!)\n* Fixed an issue where control plane components could fail to start on large\n clusters because of failing readiness probes while caches were being\n initialized\n* Fixed a memory leak in the Destination controller\n* Fixed an issue where PodSecurityPolicies could reject Linkerd control plane\n components due to the `seccompProfile`\n\n## edge-23.1.1\n\nThis edge release fixes a caching issue in the destination controller, converts\ndeprecated policy resources, and introduces several changes to how the proxy\nworks.\n\nA bug in the destination controller that could potentially lead to stale pods\nbeing considered in the load balancer has been fixed.\n\nSeveral Linkerd extensions were still using the now deprecated\nServerAuthorization resource. These instances have now been converted to using\nAuthorizationPolicy. Additionally, removed several policy resources that\nauthenticated probes, since probes are now authenticated by default.\n\nAs part of ongoing policy work, there are several changes with how the proxy\nworks. Routes are now lazily initialized so that service profile routes will\nnot show up in metrics until the route is used. Furthermore, the proxy’s\ntraffic splitting behavior has changed so that only available resources are\nused, resulting in less failfast errors.\n\nFinally, this edge release contains a number of fixes and improvements from our\ncontributors.\n\n* Converted `ServerAuthorization` resources to `AuthorizationPolicy` resources\n in Linkerd extensions\n* Removed policy resources bound to admin servers in extensions (previously\n these resources were used to authorize probes but now are authorized by\n default)\n* Added a `resources` field in the linkerd-cni chart (thanks @jcogilvie!)\n* Fixed an issue in the CLI where `--identity-external-ca` would set an\n incorrect field (thanks @anoxape!)\n* Fixed an issue in the destination controller's cache that could result in\n stale endpoints when using EndpointSlice objects\n* Added namespace to namespace-metadata resources in Helm (thanks @joebowbeer!)\n* Added support for Pod Security Admission (Pod Security Policy resources are\n still supported but disabled by default)\n* Changed routes to be initialized lazily. Service Profile routes will no\n longer show up in metrics until the route is used (default routes are always\n available when no Service Profile is defined for a service)\n* Changed the proxy's behavior when traffic splitting so that only services\n that are not in failfast are used. This will enable the proxy to manage\n failover without external coordination\n* Updated tokio (async runtime) in the proxy which should reduce CPU usage,\n especially for proxy's pod local (i.e in the same network namespace)\n communication\n* Fixed an issue where `linkerd viz tap` would display wrong latency/duration\n value (thanks @olegy2008!)\n\n## edge-22.12.1\n\nThis edge release introduces static and dynamic port overrides for CNI eBPF\nsocket-level load balancing. In certain installations when CNI plugins run in\neBPF mode, socket-level load balancing rewrites packet destinations to port\n6443; as with 443 already, this port is now skipped as well on control plane\ncomponents so that they can communicate with the Kubernetes API before their\nproxies are running.\n\nAdditionally, a potential panic and false warning have been fixed in the\ndestination controller.\n\n* Updated linkerd-jaeger's collector to expose port 4318 in order support HTTP\n alongside gRPC (thanks @uralsemih!)\n* Added a `proxyInit.privileged` setting to control whether the `proxy-init`\n initContainer runs as a privileged process\n* Fixed a potential panic in the destination controller caused by concurrent\n writes when dealing with Endpoint updates\n* Fixed false warning when looking up HostPort mappings on Pods\n* Added static and dynamic port overrides for CNI eBPF to work with socket-level\n load balancing\n\n## edge-22.11.3\n\nThis edge release fixes connection errors to pods that use `hostPort`\nconfigurations. The CNI `network-validator` init container features\nimproved error logging, and the default `linkerd-cni` DaemonSet\nconfiguration is updated to tolerate all node taints so that the CNI\nruns on all nodes in a cluster.\n\n* Fixed `destination` service to properly discover targets using a `hostPort`\n different than their `containerPort`, which was causing 502 errors\n* Upgraded the `network-validator` with better logging allowing users to\n determine whether failures occur as a result of their environment or the tool\n itself\n* Added default `Exists` toleration to the `linkerd-cni` DaemonSet, allowing it\n to be deployed in all nodes by default, regardless of taints\n\n## edge-22.11.2\n\nThis edge release introduces the use of the Kubernetes metadata API in the\nproxy-injector and tap-injector components. This can reduce the IO and memory\nfootprint for those components as they now only need to track the metadata for\ncertain resources, rather than the entire resource itself. Similar changes will\nbe made for the destination component in an upcoming release.\n\n* Bumped HTTP dependencies to fix a potential deadlock in HTTP/2 clients\n* Changed the proxy-injector and tap-injector components to use the metadata API\n which should result in less memory consumption\n\n## edge-22.11.1\n\nThis edge releases ships a few fixes in Linkerd's dashboard, and the\nmulticluster extension. Additionally, a regression has been fixed in the CLI\nthat blocked upgrades from versions older than 2.12.0, due to missing CRDs\n(even if the CRDs were present in-cluster). Finally, the release includes\nchanges to the helm charts to allow for arbitrary (user-provided) labels on\nLinkerd workloads.\n\n* Fixed an issue in the CLI where upgrades from any version prior to\n stable-2.12.0 would fail when using the `--from-manifest` flag\n* Removed un-injectable namespaces, such as kube-system from unmeshed resource\n notification in the dashboard (thanks @MoSattler!)\n* Fixed an issue where the dashboard would respond to requests with 404 due to\n wrong root paths in the HTML script (thanks @junnplus!)\n* Removed the proxyProtocol field in the multicluster gateway policy; this has\n the effect of changing the protocol from 'HTTP/1.1' to 'unknown' (thanks\n @psmit!)\n* Fixed the multicluster gateway UID when installing through the CLI, prior to\n this change the 'runAsUser' field would be empty\n* Changed the helm chart for the control plane and all extensions to support\n arbitrary labels on resources (thanks @bastienbosser!)\n\n## edge-22.10.3\n\nThis edge release adds `network-validator`, a new init container to be used when\nCNI is enabled. `network-validator` ensures that local iptables rules are\nworking as expected. It will validate this before linkerd-proxy starts.\n`network-validator` replaces the `noop` container, runs as `nobody`, and drops\nall capabilities before starting.\n\n* Validate CNI `iptables` configuration during pod startup\n* Fix \"cluster networks contains all services\" fails with services with no\n ClusterIP\n* Remove kubectl version check from `linkerd check` (thanks @ziollek!)\n* Set `readOnlyRootFilesystem: true` in viz chart (thanks @mikutas!)\n* Fix `linkerd multicluster install` by re-adding `pause` container image\n in chart\n* linkerd-viz have hardcoded image value in namespace-metadata.yml template\n bug correction (thanks @bastienbosser!)\n\n## edge-22.10.2\n\nThis edge release fixes an issue with CNI chaining that was preventing the\nLinkerd CNI plugin from working with other CNI plugins such as Cilium. It also\nincludes several other fixes.\n\n* Updated Grafana dashboards to use variable duration parameter so that they can\n be used when Prometheus has a longer scrape interval (thanks @TarekAS)\n* Fixed handling of .conf files in the CNI plugin so that the Linkerd CNI plugin\n can be used alongside other CNI plugins such as Cilium\n* Added a `linkerd diagnostics policy` command to inspect Linkerd policy state\n* Added a check that ClusterIP services are in the cluster networks\n* Added a noop init container to injected pods when the CNI plugin is enabled\n to prevent certain scenarios where a pod can get stuck without an IP address\n* Fixed a bug where the`config.linkerd.io/proxy-version` annotation could be empty\n\n## edge-22.10.1\n\nThis edge release fixes some sections of the Viz dashboard appearing blank, and\nadds an optional PodMonitor resource to the Helm chart to enable easier\nintegration with the Prometheus Operator. It also includes many fixes submitted\nby our contributors.\n\n* Fixed the dashboard sections Tap, Top, and Routes appearing blank (thanks\n @MoSattler!)\n* Added an optional PodMonitor resource to the main Helm chart (thanks\n @jaygridley!)\n* Fixed the CLI ignoring the `--api-addr` flag (thanks @mikutas!)\n* Expanded the `linkerd authz` command to display AuthorizationPolicy resources\n that target namespaces (thanks @aatarasoff!)\n* Fixed the `NotIn` label selector operator in the policy resources, being\n erroneously treated as `In`.\n* Fixed warning logic around the \"linkerd-viz ClusterRoles exist\" and\n \"linkerd-viz ClusterRoleBindings exist\" checks in `linkerd viz check`\n* Fixed proxies emitting some duplicate inbound metrics\n\n## stable-2.12.1\n\nThis release includes several control plane and proxy fixes for `stable-2.12.0`.\nIn particular, it fixes issues related to control plane HTTP servers' header\nread timeouts resulting in decreased controller success rates, lowers the\ninbound connection pool idle timeout in the proxy, and fixes an issue where the\njaeger injector would put pods into an error state when upgrading from\nstable-2.11.x.\n\nAdditionally, this release adds the `linkerd.io/trust-root-sha256` annotation to\nall injected workloads allowing predictable comparison of all workloads' trust\nanchors via the Kubernetes API.\n\nFor Windows users, note that the Linkerd CLI's `nupkg` file for Chocolatey is\nonce again included in the release assets (it was previously removed in\nstable-2.10.0).\n\n* Proxy\n * Lowered inbound connection pool idle timeout to 3s\n\n* Control Plane\n * Updated AdmissionRegistration API version usage to v1\n * Added `linkerd.io/trust-root-sha256` annotation on all injected workloads\n to indicate certifcate bundle\n * Updated fields in `AuthorizationPolicy` and `MeshTLSAuthentication` to\n conform to specification (thanks @aatarasoff!)\n * Updated the identity controller to not require a `ClusterRoleBinding`\n to read all deployment resources\n * Increased servers' header read timeouts so they no longer match default\n probe and Prometheus scrape intervals\n\n* Helm\n * Restored `namespace` field in Linkerd helm charts\n * Updated `PodDisruptionBudget` `apiVersion` from `policy/v1beta1` to\n `policy/v1` (thanks @Vrx555!)\n\n* Extensions\n * Fixed jaeger injector interfering with upgrades to 2.12.x\n\n## edge-22.9.2\n\nThis release fixes an issue where the jaeger injector would put pods into an\nerror state when upgrading from stable-2.11.x.\n\n* Updated AdmissionRegistration API version usage to v1\n* Fixed jaeger injector interfering with upgrades to 2.12.x\n\n## edge-22.9.1\n\nThis release adds the `linkerd.io/trust-root-sha256` annotation to all injected\nworkloads allowing predictable comparison of all workloads' trust anchors via\nthe Kubernetes API.\n\nAdditionally, this release lowers the inbound connection pool idle timeout to\n3s. This should help avoid socket errors, especially for Kubernetes probes.\n\n* Added `linkerd.io/trust-root-sha256` annotation on all injected workloads\n to indicate certifcate bundle\n* Lowered inbound connection pool idle timeout to 3s\n* Restored `namespace` field in Linkerd helm charts\n* Updated fields in `AuthorizationPolicy` and `MeshTLSAuthentication` to\n conform to specification (thanks @aatarasoff!)\n* Updated the identity controller to not require a `ClusterRoleBinding`\n to read all deployment resources.\n\n## edge-22.8.3\n\nIncreased control plane HTTP servers' read timeouts so that they no longer\nmatch the default probe intervals. This was leading to closed connections\nand decreased controller success rate.\n\n## stable-2.12.0\n\nThis release introduces route-based policy to Linkerd, allowing users to define\nand enforce authorization policies based on HTTP routes in a fully zero-trust\nway. These policies are built on Linkerd's strong workload identities, secured\nby mutual TLS, and configured using types from the Kubernetes [Gateway\nAPI](https://gateway-api.sigs.k8s.io/).\n\nThe 2.12 release also introduces optional request logging (\"access logging\"\nafter its name in webservers), optional support for `iptables-nft`, and a host\nof other improvements and performance enhancements.\n\nAdditionally, the `linkerd-smi` extension is now required to use TrafficSplit,\nand the installation process has been updated to separate management of the\nLinkerd CRDs from the main installation process. With the CLI, you'll need to\n`linkerd install --crds` before running `linkerd install`; with Helm, you'll\ninstall the new `linkerd-crds` chart, then the `linkerd-control-plane` chart.\nThese charts are now versioned using [SemVer](https://semver.org) independently\nof Linkerd releases. For more information, see the [upgrade\nnotes][upgrade-2120].\n\n**Upgrade notes**: Please see the [upgrade instructions][upgrade-2120].\n\n* Proxy\n * Added a `config.linkerd.io/shutdown-grace-period` annotation to limit the\n duration that the proxy may wait for graceful shutdown\n * Added a `config.linkerd.io/access-log` annotation to enable logging of\n workload requests\n * Added a new `iptables-nft` mode for the `proxy-init` initContainer\n * Added support for non-HTTP traffic forwarding within the mesh in `ingress`\n mode\n * Added the `/env.json` log diagnostic endpoint\n * Added a new `process_uptime_seconds_total` metric to track proxy uptime in\n seconds\n * Added support for dynamically discovering policies for ports that are not\n documented in a pod's `containerPorts`\n * Added support for route-based inbound HTTP metrics\n (`route_group`/`route_kind`/`route_name`)\n * Added a new annotation to configure skipping subnets in the init container\n (`config.linkerd.io/skip-subnets`), needed e.g. in Docker-in-Docker\n workloads (thanks @michaellzc!)\n\n* Control Plane\n * Added support for per-route policy by supporting AuthorizationPolicy\n resources which can target HttpRoute or Server resources\n * Added support for bound service account token volumes for the control plane\n and injected workloads\n * Removed kube-system exclusions from watchers to fix service discovery for\n workloads in the kube-system namespace (thanks @JacobHenner!)\n * Updated healthcheck to ignore `Terminated` state for pods (thanks\n @AgrimPrasad!)\n * Updated the default policy controller log level to `info`; the controller\n will now emit INFO level logs for some of its dependencies\n * Added probe authorization by default, allowing clusters that use a default\n `deny` policy to not explicitly need to authorize probes\n * Fixed an issue where the proxy-injector would break when using\n `nodeAffinity` values for the control plane\n * Fixed an issue where certain control plane components were not restarting as\n necessary after a trust root rotation\n * Removed SMI functionality in the default Linkerd installation; this is now\n part of the `linkerd-smi` extension\n\n* CLI\n * Fixed the `linkerd check` command crashing when unexpected pods are found in\n a Linkerd namespace\n * Updated the `linkerd authz` command to support AuthorizationPolicy and\n HttpRoute resources\n * Updated `linkerd check` to allow RSA signed trust anchors (thanks\n @danibaeyens!)\n * `linkerd install --crds` must be run before `linkerd install`\n * `linkerd upgrade --crds` must be run before `linkerd upgrade`\n * Fixed invalid yaml syntax in the viz extension's tap-injector template\n (thanks @wc-s!)\n * Fixed an issue where the `--default-inbound-policy` setting was not being\n respected\n * Added support for AuthorizationPolicy and HttpRoute to `viz authz` command\n * Added support for AuthorizationPolicy and HttpRoute to `viz stat` command\n * Added support for policy metadata in `linkerd viz tap`\n\n* Helm\n * Split the `linkerd2` chart into `linkerd-crds` and `linkerd-control-plane`\n * Charts are now versioned using [SemVer](https://semver.org) independently of\n Linkerd releases\n * Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)\n * Changed the `proxy.await` Helm value so that users can now disable\n `linkerd-await` on control plane components\n * Added the `policyController.probeNetworks` Helm value for configuring the\n networks that probes are expected to be performed from\n\n* Extensions\n * Added annotations to allow Linkerd extension deployments to be evicted by\n the autoscaler when necessary\n * Added ability to run the Linkerd CNI plugin in non-chained (stand-alone)\n mode\n * Added a ServiceAccount token Secret to the multicluster extension to support\n Kubernetes versions >= v1.24\n\nThis release includes changes from a massive list of contributors, including\nengineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and\nothers. A special thank-you to everyone who helped make this release possible:\n\nAgrim Prasad [@AgrimPrasad](https://github.com/AgrimPrasad)\nAhmed Al-Hulaibi [@ahmedalhulaibi](https://github.com/ahmedalhulaibi)\nAleksandr Tarasov [@aatarasoff](https://github.com/aatarasoff)\nAlexander Berger [@alex-berger](https://github.com/alex-berger)\nAo Chen [@chenaoxd](https://github.com/chenaoxd)\nBadis Merabet [@badis](https://github.com/badis)\nBjørn [@Crevil](https://github.com/Crevil)\nBrian Dunnigan [@bdun1013](https://github.com/bdun1013)\nChristian Schlotter [@chrischdi](https://github.com/chrischdi)\nDani Baeyens [@danibaeyens](https://github.com/danibaeyens)\nDavid Symons [@multimac](https://github.com/multimac)\nDmitrii Ermakov [@ErmakovDmitriy](https://github.com/ErmakovDmitriy)\nElvin Efendi [@ElvinEfendi](https://github.com/ElvinEfendi)\nEvan Hines [@evan-hines-firebolt](https://github.com/evan-hines-firebolt)\nEng Zer Jun [@Juneezee](https://github.com/Juneezee)\nGustavo Fernandes de Carvalho [@gusfcarvalho](https://github.com/gusfcarvalho)\nHarry Walter [@haswalt](https://github.com/haswalt)\nIsrael Miller [@imiller31](https://github.com/imiller31)\nJack Gill [@jackgill](https://github.com/jackgill)\nJacob Henner [@JacobHenner](https://github.com/JacobHenner)\nJacob Lorenzen [@Jaxwood](https://github.com/Jaxwood)\nJoakim Roubert [@joakimr-axis](https://github.com/joakimr-axis)\nJosh Ault [@jault-figure](https://github.com/jault-figure)\nJoão Soares [@jasoares](https://github.com/jasoares)\njtcarnes [@jtcarnes](https://github.com/jtcarnes)\nKim Christensen [@kichristensen](https://github.com/kichristensen)\nKrzysztof Dryś [@krzysztofdrys](https://github.com/krzysztofdrys)\nLior Yantovski [@lioryantov](https://github.com/lioryantov)\nMartin Anker Have [@mahlunar](https://github.com/mahlunar)\nMichael Lin [@michaellzc](https://github.com/michaellzc)\nMichał Romanowski [@michalrom089](https://github.com/michalrom089)\nNaveen Nalam [@nnalam](https://github.com/nnalam)\nNick Calibey [@ncalibey](https://github.com/ncalibey)\nNikola Brdaroski [@nikolabrdaroski](https://github.com/nikolabrdaroski)\nOr Shachar [@or-shachar](https://github.com/or-shachar)\nPål-Magnus Slåtto [@dev-slatto](https://github.com/dev-slatto)\nRaman Gupta [@rocketraman](https://github.com/rocketraman)\nRicardo Gândara Pinto [@rmgpinto](https://github.com/rmgpinto)\nRoberth Strand [@roberthstrand](https://github.com/roberthstrand)\nSankalp Rangare [@sankalp-r](https://github.com/sankalp-r)\nSascha Grunert [@saschagrunert](https://github.com/saschagrunert)\nSteve Gray [@steve-gray](https://github.com/steve-gray)\nSteve Zhang [@zhlsunshine](https://github.com/zhlsunshine)\nTakumi Sue [@mikutas](https://github.com/mikutas)\nTanmay Bhat [@tanmay-bhat](https://github.com/tanmay-bhat)\nTáskai Dominik [@dtaskai](https://github.com/dtaskai)\nUjjwal Goyal [@importhuman](https://github.com/importhuman)\nWeichung Shaw [@wc-s](https://github.com/wc-s)\nWim de Groot [@wim-de-groot](https://github.com/wim-de-groot)\nYannick Utard [@utay](https://github.com/utay)\nYurii Dzobak [@yuriydzobak](https://github.com/yuriydzobak)\n罗泽轩 [@spacewander](https://github.com/spacewander)\n\n[upgrade-2120]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2120\n\n## stable-2.12.0-rc2\n\nThis release is the second release candidate for stable-2.12.0.\n\nAt this point the Helm charts can be retrieved from the stable repo:\n\n```sh\nhelm repo add linkerd https://helm.linkerd.io/stable\nhelm repo up\nhelm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds\nhelm install linkerd-control-plane \\\n -n linkerd \\\n --set-file identityTrustAnchorsPEM=ca.crt \\\n --set-file identity.issuer.tls.crtPEM=issuer.crt \\\n --set-file identity.issuer.tls.keyPEM=issuer.key \\\n linkerd/linkerd-control-plane\n```\n\nThe following lists all the changes since edge-22.8.2:\n\n* Fixed inheritance of the `linkerd.io/inject` annotation from Namespace to\n Workloads when its value is `ingress`\n* Added the `config.linkerd.io/default-inbound-policy: all-authenticated`\n annotation to linkerd-multicluster’s Gateway deployment so that all clients\n are required to be authenticated\n* Added a `ReadHeaderTimeout` of 10s to all the go `http.Server` instances, to\n avoid being vulnerable to \"slowrolis\" attacks\n* Added check in `linkerd viz check --proxy` to warn in case namespace have the\n `config.linkerd.io/default-inbound-policy: deny` annotation, which would not\n authorize scrapes coming from the linkerd-viz Prometheus instance\n* Added validation for accepted values for the `--default-inbound-policy` flag\n* Fixed invalid URL in the `linkerd install --help` output\n* Added `--destination-pod` flag to `linkerd diagnostics endpoints` subcommand\n* Added `proxyInit.runAsUser` in `values.yaml` defaulting to non-zero, to\n complement the new default `proxyInit.runAsRoot: false` that was rencently\n changed\n\n## edge-22.8.2\n\nThis release is considered a release candidate for stable-2.12.0 and we\nencourage you to try it out! It includes an update to the multicluster extension\nwhich adds support for Kubernetes v1.24 and also updates many CLI commands to\nsupport the new policy resources: ServerAuthorization and HTTPRoute.\n\n* Updated linkerd check to allow RSA signed trust anchors (thanks @danibaeyens!)\n* Fixed some invalid yaml in the viz extension's tap-injector template (thanks @wc-s!)\n* Added support for AuthorizationPolicy and HttpRoute to viz authz command\n* Added support for AuthorizationPolicy and HttpRoute to viz stat\n* Added support for policy metadata in linkerd tap\n* Fixed an issue where certain control plane components were not restarting as\n necessary after a trust root rotation\n* Added a ServiceAccount token Secret to the multicluster extension to support\n Kubernetes versions >= v1.24\n* Fixed an issue where the --default-inbound-policy setting was not being\n respected\n\n## edge-22.8.1\n\nThis releases introduces default probe authorization. This means that on\nclusters that use a default `deny` policy, probes do not have to be explicitly\nauthorized using policy resources. Additionally, the\n`policyController.probeNetworks` Helm value has been added, which allows users\nto configure the networks that probes are expected to be performed from.\n\nAdditionally, the `linkerd authz` command has been updated to support the policy\nresources AuthorizationPolicy and HttpRoute.\n\nFinally, some smaller changes include allowing to disable `linkerd-await` on\ncontrol plane components (using the existing `proxy.await` configuration) and\nchanging the default iptables mode back to `legacy` to support more cluster\nenvironments by default.\n\n* Updated the `linkerd authz` command to support AuthorizationPolicy and\n HttpRoute resources\n* Changed the `proxy.await` Helm value so that users can now disable\n `linkerd-await` on control plane components\n* Added probe authorization by default allowing clusters that use a default\n `deny` policy to not explicitly need to authorize probes\n* Added ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode\n* Added the `policyController.probeNetworks` Helm value for configuring the\n networks that probes are expected to be performed from\n* Changed the default iptables mode to `legacy`\n\n## edge-22.7.3\n\nThis release adds a new `nft` iptables mode, used by default in proxy-init.\nWhen used, firewall configuration will be set-up through the `iptables-nft`\nbinary; this should allow hosts that do not support `iptables-legacy` (such as\nRHEL based environments) to make use of the init container. The older\n`iptables-legacy` mode is still supported, but it must be explictly turned on.\nMoreover, this release also replaces the `HTTPRoute` CRD with Linkerd's own\nversion, and includes a number of fixes and improvements.\n\n* Added a new `iptables-nft` mode for proxy-init. When running in this mode,\n the firewall will be configured with `nft` kernel API; this should allow\n users to run the init container on RHEL-family hosts\n* Fixed an issue where the proxy-injector would break when using `nodeAffinity`\n values for the control plane\n* Updated healthcheck to ignore `Terminated` state for pods (thanks\n @AgrimPrasad!)\n* Replaced `HTTRoute` CRD version from `gateway.networking.k8s.io` with a\n similar version from the `policy.linkerd.io` API group. While the CRD is\n similar, it does not support the `Gateway` type, does not contain the\n `backendRefs` fields, and does not support `RequestMirror` and `ExtensionRef`\n filter types.\n* Updated the default policy controller log level to `info`; the controller\n will now emit INFO level logs for some of its dependencies\n* Added validation to ensure `HTTPRoute` paths are absolute; relative paths are\n not supported by the proxy and the policy controller admission server will\n reject any routes that use paths which do not start with `/`\n\n## edge-22.7.2\n\nThis release adds support for per-route authorization policy using the\nAuthorizationPolicy and HttpRoute resources. It also adds a configurable\nshutdown grace period to the proxy which can be used to ensure that proxy\ngraceful shutdown completes within a certain time, even if there are outstanding\nopen connections.\n\n* Removed kube-system exclusions from watchers to fix service discovery for\n workloads in the kube-system namespace (thanks @JacobHenner!)\n* Added annotations to allow Linkerd extension deployments to be evicted by the\n autoscaler when necessary\n* Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)\n* Added support for per-route policy by supporting AuthorizationPolicy resources\n which target HttpRoute resources\n* Fixed the `linkerd check` command crashing when unexpected pods are found in\n a Linkerd namespace\n* Added a `config.linkerd.io/shutdown-grace-period` annotation to configure the\n proxy's maximum grace period for graceful shutdown\n\n## edge-22.7.1\n\nThis release includes a security improvement. When a user manually specified the\n`policyValidator.keyPEM` setting, the value was incorrectly included in the\n`linkerd-config` configmap. This means that this private key was erroneously\nexposed to service accounts with read access to this configmap. Practically,\nthis means that the Linkerd `proxy-injector`, `identity`, and `heartbeat` pods\ncould read this value. This should **not** have exposed this private key to\nother unauthorized users unless additional role bindings were added outside of\nLinkerd. Nevertheless, we recommend that users who manually set control plane\ncertificates update the credentials for the policy validator after upgrading\nLinkerd.\n\nAdditionally, the linkerd-multicluster extensions has several fixes related to\nfail fast errors during link watch restarts, improper label matching for\nmirrored services, and properly cleaning up mirrored endpoints in certain\nsituations.\n\nLastly, the proxy can now retry gRPC requests that have responses with a\nTRAILERS frame. A fix to reduce redundant load balancer updates should also\nresult in less connection churn.\n\n* Changed unit tests to use newly introduced `prommatch` package for asserting\n expected metrics (thanks @krzysztofdrys!)\n* Fixed Docker container runtime check to only during `linkerd install` rather\n than `linkerd check --pre`\n* Changed linkerd-multicluster's remote cluster watcher to assume the gateway is\n alive when starting—fixing fail fast errors from occurring during restarts\n (thanks @chenaoxd!)\n* Added `matchLabels` and `matchExpressions` to linkerd-multicluster's Link CRD\n* Fixed linkerd-multicluster's label selector to properly select resources that\n match the expected label value, rather than just the presence of the label\n* Fixed linkerd-multicluster's cluster watcher to properly clean up endpoints\n belonging to remote headless services that are no longer mirrored\n* Added the HttpRoute CRD which will be used by future policy features\n* Fixed CNI plugin event processing where file updates could sometimes be\n skipped leading to the update not being acknowledged\n* Fixed redundant load balancer updates in the proxy that could cause\n unnecessary connection churn\n* Fixed gRPC request retries for responses that contain a TRAILERS frame\n* Fixed the dashboard's `linkerd check` due to missing RBAC for listing pods in\n the cluster\n* Fixed API check that ensures access to the Server CRD (thanks @aatarasoff!)\n* Changed `linkerd authz` to match the labels of pre-fetched Pods rather than\n the multiple API calls it was doing—resulting in significant speed-up (thanks\n @aatarasoff!)\n* Unset `policyValidtor.keyPEM` in `linkerd-config` ConfigMap\n\n## edge-22.6.2\n\nThis edge release bumps the minimum supported Kubernetes version from `v1.20`\nto `v1.21`, introduces some new changes, and includes a few bug fixes. Most\nnotably, a bug has been fixed in the proxy's outbound load balancer that could\ncause panics, especially when the balancer would process many service discovery\nupdates in a short period of time. This release also fixes a panic in the\nproxy-injector, and introduces a change that will include HTTP probe ports in\nthe proxy's inbound ports configuration, to be used for policy discovery.\n\n* Fixed a bug in the proxy's outbound load balancer that could cause panics\n when many discovery updates were processed in short time periods\n* Added `runtimeClassName` options to Linkerd's Helm chart (thanks @jtcarnes!)\n* Introduced a change in the proxy-injector that will configure the inbound\n ports proxy configuration with the pod's probe ports (HTTPGet)\n* Added godoc links in the project README file (thanks @spacewander!)\n* Increased minimum supported Kubernetes version to `v1.21` from `v1.20`\n* Fixed an issue where the proxy-injector would not emit events for resources\n that receive annotation patches but are skipped for injection\n* Refactored `PublicIPToString` to handle both IPv4 and IPv6 addresses in a\n similar behavior (thanks @zhlsunshine!)\n* Replaced the usage of branch with tags, and pinned `cosign-installer` action\n to `v1` (thanks @saschagrunert!)\n* Fixed an issue where the proxy-injector would panic if resources have an\n unsupported owner kind\n\n## edge-22.6.1\n\nThis edge release fixes an issue where Linkerd injected pods could not be\nevicted by Cluster Autoscaler. It also adds the `--crds` flag to `linkerd check`\nwhich validates that the Linkerd CRDs have been installed with the proper\nversions.\n\nThe previously noisy \"cluster networks can be verified\" check has been replaced\nwith one that now verifies each running Pod IP is contained within the current\n`clusterNetworks` configuration value.\n\nAdditionally, linkerd-viz is no longer required for linkerd-multicluster's\n`gateways` command — allowing the `Gateways` API to marked as deprecated for\n2.12.\n\nFinally, several security issues have been patched in the Docker images now that\nthe builds are pinned only to minor — rather than patch — versions.\n\n* Replaced manual IP address parsing with functions available in the Go standard\n library (thanks @zhlsunshine!)\n* Removed linkerd-multicluster's `gateway` command dependency on the linkerd-viz\n extension\n* Fixed issue where Linkerd injected pods were prevented from being evicted by\n Cluster Autoscaler\n* Added the `dst_target_cluster` metric to linkerd-multicluster's service-mirror\n controller probe traffic\n* Added the `--crds` flag to `linkerd check` which validates that the Linkerd\n CRDs have been installed\n* Removed the Docker image's hardcoded patch versions so that builds pick up\n patch releases without manual intervention\n* Replaced the \"cluster networks can be verified check\" check with a \"cluster\n networks contains all pods\" check which ensures that all currently running Pod\n IPs are contained by the current `clusterNetworks` configuration\n* Added IPv6 compatible IP address generation in certain control plane\n components that were only generating IPv4 (thanks @zhlsunshine!)\n* Deprecated linkerd-viz's `Gateways` API which is no longer used by\n linkerd-multicluster\n* Added the `promm` package for making programatic Prometheus assertions in\n tests (thanks @krzysztofdrys!)\n* Added the `runAsUser` configuration to extensions to fix a PodSecurityPolicy\n violation when CNI is enabled\n\n## edge-22.5.3\n\nThis edge release fixes a few proxy issues, improves the upgrade process, and\nintroduces proto retries to Service Profiles. Also included are updates to the\nbash scripts to ensure that they follow best practices.\n\n* Polished the shell scripts (thanks @joakimr-axis)\n* Introduced retries to Service Profiles based on the idempotency option of the\n method by adding an isRetryable function to the proto definition\n (thanks @mahlunar)\n* Fixed proxy responses to CONNECT requests by removing the content-length\n and/or transfer-encoding headers from the response\n* Fixed DNS lookups in the proxy to consistently use A records when SRV records\n cannot be resolved\n* Added dynamic policy discovery to the proxy by evaluating traffic on ports\n not included in the LINKERD2_PROXY_INBOUND_PORTS environment variable\n* Added logic to require that the linkerd CRDs are installed when running\n the `linkerd upgrade` command\n\n## edge-22.5.2\n\nThis edge release ships a few changes to the chart values, a fix for\nmulticluster headless services, and notable proxy features. HA functionality,\nsuch as PDBs, deployment strategies, and pod anti-affinity, have been split\nfrom the HA values and are now configurable for the control plane. On the proxy\nside, non-HTTP traffic will now be forwarded on the outbound side within the\ncluster when the proxy runs in ingress mode.\n\n* Updated `ingress-mode` proxies to forward non-HTTP traffic within the cluster\n (protocol detection will always be attempted for outbound connections)\n* Added a new proxy metric `process_uptime_seconds_total` to keep track of the\n number of seconds since the proxy started\n* Fixed an issue with multicluster headless service mirroring, where exported\n endpoints would be mirrored with a delay, or when changes to the export label\n would be ignored\n* Split HA functionality, such as PodDisruptionBudgets, into multiple\n configurable values (thanks @evan-hines-firebolt for the initial work)\n\n## edge-22.5.1\n\nThis edge release adds more flexibility to the MeshTLSAuthentication and\nAuthorizationPolicy policy resources by allowing them to target entire\nnamespaces. It also fixes a race condition when multiple CNI plugins are\ninstalled together as well as a number of other bug fixes.\n\n* Added support for MeshTLSAuthentication resources to target an entire\n namespace, authenticating all ServiceAccounts in that namespace\n* Fixed a panic in `linkerd install` when the `--ignore-cluster` flag is passed\n* Fixed issue where pods would fail to start when `enablePSP` and\n `proxyInit.runAsRoot` are set\n* Added support for AuthorizationPolicy resources to target namespaces, applying\n to all Servers in that namespace\n* Fixed a race condition where the Linkerd CNI configuration could be\n overwritten when multiple CNI plugins are installed\n* Added test for opaque ports using Service and Pod IPs (thanks @krzysztofdrys!)\n* Fixed an error in the linkerd-viz Helm chart in HA mode\n\n## edge-22.4.1\n\nIn order to support having custom resources in the default Linkerd installation,\nthe CLI install flow is now always a 2-step process where `linkerd install\n--crds` must be run first to install CRDs only and then `linkerd install` is run\nto install everything else. This more closely aligns the CLI install flow with\nthe Helm install flow where the CRDs are a separate chart. This also applies to\n`linkerd upgrade`. Also, the `config` and `control-plane` sub-commands have been\nremoved from both `linkerd install` and `linkerd upgrade`.\n\nOn the proxy side, this release fixes an issue where proxies would not honor the\ncluster's opaqueness settings for non-pod/service addresses. This could cause\nprotocol detection to be peformed, for instance, when using off-cluster\ndatabases.\n\nThis release also disables the use of regexes in Linkerd log filters (i.e., as\nset by `LINKERD2_PROXY_LOG`). Malformed log directives could, in theory, cause a\nproxy to stop responding.\n\nThe `helm.sh/chart` label in some of the CRDs had its formatting fixed, which\navoids issues when installing/upgrading through external tools that make use of\nit, such as recent versions of Flux.\n\n* Added `--crds` flag to install/upgrade and remove config/control-plane stages\n* Allowed the `AuthorizationPolicy` CRD to have an empty\n `requiredAuthenticationRefs` entry that allows all traffic\n* Introduced `nodeAffinity` config in all the charts for enhanced control on the\n pods scheduling (thanks @michalrom089!)\n* Introduced `resources`, `nodeSelector` and `tolerations` configs in the\n `linkerd-multicluster-link` chart for enhanced control on the service mirror\n deployment (thanks @utay!)\n* Fixed formatting of the `helm.sh/chart` label in CRDs\n* Updated container base images from buster to bullseye\n* Added support for spaces in the `config.linkerd.io/opaque-ports` annotation\n\n## edge-22.3.5\n\nThis edge release introduces new policy CRDs that allow for more generalized\nauthorization policies.\n\nThe `AuthorizationPolicy` CRD authorizes clients that satisfy all the required\nauthentications to communicate with the Linkerd `Server` that it targets.\nRequired authentications are specified through the new `MeshTLSAuthentication`\nand `NetworkAuthentication` CRDs.\n\nA `MeshTLSAuthentication` defines a list of authenticated client IDs—specified\ndirectly by proxy identity strings or referencing resources such as\n`ServiceAccount`s.\n\nA `NetworkAuthentication` defines a list of client networks that will be\nauthenticated.\n\nAdditionally, to support the new CRDs, policy-related labels have been changed\nto better categorize policy metrics. A `srv_kind` label has been introduced\nwhich splits the current `srv_name` value—formatted as `kind:name`—into separate\nlabels. The `saz_name` label has been removed and is replaced by the new\n`authz_kind` and `authz_name` labels.\n\n* Introduced the `srv_kind` label which allowed splitting the value of the\n current `srv_name` label\n* Removed the `saz_name` label and replaced it with the new `authz_kind` and\n `authz_name` labels\n* Fixed an issue in the destination controller where an update would not be sent\n after an endpoint was discovered for a currently empty service\n* Introduced the following custom resource types to support generalized\n authorization policies: `AuthorizationPolicy`, `MeshTLSAuthentication`,\n `NetworkAuthentication`\n* Deprecated the `--proxy-version` flag (thanks @importhuman!)\n* Updated linkerd-viz to use new policy CRDs\n\n## edge-22.3.4\n\n* Disabled pprof endpoints on Linkerd control plane components by default\n* Fixed an issue where mirror service endpoints of headless services were always\n ready regardless of gateway liveness\n* Added server side validation for ServerAuthorization resources\n* Fixed an \"origin not allowed\" issue when using the latest Grafana with the\n Linkerd Viz extension\n\n## edge-22.3.3\n\nThis edge release ensures that in multicluster installations, mirror service\nendpoints have their readiness tied to gateway liveness. When the gateway for a\ntarget cluster is not alive, the endpoints that point to it on a source cluster\nwill properly indicate that they are not ready.\n\n* Fixed tap controller logging errors that were succeptible to log forgery by\n ensuring special characters are escaped\n* Fixed issue where mirror service endpoints were always ready regardless of\n gateway liveness\n* Removed unused `namespace` entry in `linkerd-control-plane` chart\n\n## edge-22.3.2\n\nThis edge release includes a few fixes and quality of life improvements. An\nissue has been fixed in the proxy allowing HTTP Upgrade requests to work\nthrough multi-cluster gateways, and the init container's resource limits and\nrequests have been revised. Additionally, more Go linters have been enabled and\nimprovements have been made to the devcontainer.\n\n* Changed `linkerd-init` resource (CPU/memory) limits and requests to ensure by\n default the init container does not break a pod's `Guaranteed` QOS class\n* Added a new check condition to skip pods whose status is `NodeShutdown`\n during validation as they will not have a proxy container\n* Fixed an issue that would prevent proxies from sending HTTP Upgrade requests\n (used in websockets) through multi-cluster gateways\n\n## edge-22.3.1\n\nThis edge release includes updates to dependencies, CI, and rust 1.59.0. It also\nincludes changes to the `linkerd-jaeger` chart to ensure that namespace labels\nare preserved and adds support for `imagePullSecrets`, along with improvements\nto the multicluster and policy functionality.\n\n* Added note to `multicluster link` command to clarify that the link is\n one-direction\n* Introduced `imagePullSecrets` to Jaeger Helm chart\n* Updated Rust to v1.59.0\n* Fixed a bug where labels can be overwritten in the `linkerd-jaeger` chart\n* Fix broken mirrored headles services after `repairEndpoints` runs\n* Updated `Server` CRD to handle an empty `PodSelector`\n\n## edge-22.2.4\n\nThis edge release continues to address several security related lints and\nensures they are checked by CI.\n\n* Add `linkerd check` warning for clusters that cannot verify their\n `clusterNetworks` due to Nodes missing the `podCIDR` field\n* Changed `Server` CRD to allow having an empty `PodSelector`\n* Modified `linkerd inject` to only support `https` URLs to mitigate security\n risks\n* Fixed potential goroutine leak in the port forwarding used by several CLI\n commands and control plane components\n* Fixed timeouts in the policiy validator which could lead to failures if\n `failurePolicy` was set to `Fail`\n\n## edge-22.2.3\n\nThis edge release fixes some `Instant`-related proxy panics that occur on Amazon\nLinux. It also includes many behind the scenes improvements to the project's\nCI and linting.\n\n* Removed the `--controller-image-version` install flag to simplify the way that\n image versions are handled. The controller image version can be set using the\n `--set linkerdVersion` flag or Helm value\n* Lowercased logs and removed redundant lines from the Linkerd2 proxy init\n container\n* Prevented the proxy from logging spurious errors when its pod does not define\n any container ports\n* Added workarounds to reduce the likelihood of `Instant`-related proxy panics\n that occur on Amazon Linux\n\n## edge-22.2.2\n\nThis edge release updates the jaeger extension to be available in ARM\narchitectures and applies some security-oriented amendments.\n\n* Upgraded jaeger and the opentelemetry-collector to their latest versions,\n which now support ARM architectures\n* Fixed `linkerd multicluster check` which was reporting false warnings\n* Started enforcing TLS v1.2 as a minimum in the webhook servers\n* Had the identity controller emit SHA256 certificate fingerprints in its\n logs/events, instead of MD5\n\n## edge-22.2.1\n\nThis edge release removed the `disableIdentity` configuration now that the proxy\nno longer supports running without identity.\n\n* Added a `privileged` configuration to linkerd-cni which is required by some\n environments\n* Fixed an issue where the TLS credentials used by the policy validator were not\n updated when the credentials were rotated\n* Removed the `disableIdentity` configurations now that the proxy no longer\n supports running without identity\n* Fixed an issue where `linkerd jaeger check` would needlessly fail for BYO\n Jaeger or collector installations\n* Fixed a Helm HA installation race condition introduced by the stoppage of\n namespace creation\n\n## edge-22.1.5\n\nThis edge release adds support for per-request Access Logging for HTTP inbound\nrequests in Linkerd. A new annotation i.e. `config.linkerd.io/access-log` is added,\nwhich configures the proxies to emit access logs to stderr. `apache` and `json`\nare the supported configuration options, emitting access logs in Apache Common\nLog Format and JSON respectively.\n\nSpecial thanks to @tustvold for all the initial work around this!\n\n* Updated injector to support the new `config.linkerd.io/access-log` annotation\n* Added a new `LINKERD2_PROXY_ACCESS_LOG` proxy environment variable to configure\n the access log format (thanks @tustvold)\n* Updated service mirror controller to emit relevant events when\n mirroring is skipped for a service\n* Updated various dependencies across the project (thanks @dependabot)\n\n## edge-22.1.4\n\nThis edge release features a new configuration annotation, support for\nexternally hosted Grafana instances, and other improvements in the CLI,\ndashboard and Helm charts. To learn more about using an external Grafana\ninstance with Linkerd, you can refer to our\n[docs](https://github.com/linkerd/website/blob/0c3c5cd5ae329cd7dbcca18534f3bc8ec7d57859/linkerd.io/content/2.12/tasks/grafana.md).\n\n* Added a new annotation to configure skipping subnets in the init container\n (`config.linkerd.io/skip-subnets`). This configuration option is ideal for\n Docker-in-Docker (dind) workloads (thanks @michaellzc!)\n* Added support in the dashboard for externally hosted Grafana instances\n (thanks @jackgill!)\n* Introduced resource block to `linkerd-jaeger` Helm chart (thanks\n @yuriydzobak!)\n* Introduced parametrized datasource (`DS_PROMETHEUS`) in all Grafana\n dashboards. This allows pointing to the right Prometheus datasource when\n importing a dashboard\n* Introduced a consistent `--ignore-cluster` flag in the CLI for the base\n installation and extensions; manifests will now be rendered even if there is\n an existing installation in the current Kubernetes context (thanks\n @krzysztofdrys!)\n* Updated the service mirror controller to skip mirroring services whose\n namespaces do not yet exist in the source cluster; previously, the service\n mirror would create the namespace itself.\n\n## edge-22.1.3\n\nThis release removes the Grafana component in the linkerd-viz extension.\nUsers can now import linkerd dashboards into Grafana from the [Linkerd org](https://grafana.com/orgs/linkerd)\nin Grafana. Users can also follow the instructions in the [docs](https://github.com/linkerd/website/blob/f687a04ee43c90bd804b04af287bc80c9366db98/linkerd.io/content/2.12/tasks/grafana.md)\nto install a separate Grafana that can be integrated with the Linkerd Dashboard.\n\n* Stopped shipping grafana-based image in the linkerd-viz extension\n* Removed `repair` sub-command in the CLI\n* Updated various dependencies across the project (thanks @dependabot)\n\n## edge-22.1.2\n\nThis release sets the version of the extension Helm charts to 30.0.0-edge to\nensure that previous versions of these charts can be upgraded properly.\n\n* Reset extensions Helm chart versions at 30.0.0-edge\n* Pin multicluster extension pause container version to 3.2 so that it will work\n on Arm architectures\n* Create a unique PSP `RoleBinding` for each multicluster link to prevent\n conflicts when PSP is enabled\n\n## edge-22.1.1\n\nThis release adds support for using the cert-manager CA Injector to configure\nLinkerd's webhooks.\n\n* Fixed a rare issue when a Service's opaque ports annotation does not match\n that of the pods in the service\n* Disallowed privilege escalation in control plane containers (thanks @kichristensen!)\n* Updated the multicluster extension's service mirror controller to make mirror\n services empty when the exported service is empty\n* Added support for injecting Webhook CA bundles with cert-manager CA Injector\n (thanks @bdun1013!)\n\n## edge-21.12.4\n\nThis release adds support for custom HTTP methods in the viz stats\n(i.e CLI and Dashboard). Additionally, it also includes various\nsmaller improvements.\n\n* Added support for custom HTTP methods in the `linkerd-viz` stats\n* Updated the health checker to pull trust root from the `linkerd-identity-trust-roots`\n configmap to support cases where they are generated externally (thanks @wim-de-groot)\n* Removed unnecessary `installNamespace` bool flag from the\n `linkerd-control-plane` chart (thanks @mikutas)\n* Updated the `install` command to error if container runtime check fails\n* Updated various dependencies across the project (thanks @dependabot)\n\n## edge-21.12.3\n\nThis edge release contains a few improvements to the CLI commands and a major\nchange around Helm charts.\n\n* **Breaking change**\n\nThe `linkerd2` chart has been deprecated in favor of the `linkerd-crds` and\n`linkerd-control-plane` charts. The former takes care of installing all the\nrequired CRDs and the latter everything else. Of important note is that, as per\nHelm best practice, we're no longer creating the linkerd namespace. Users\nrequire to do that manually, or have the Helm tool do it explicitly. So the\ninstall procedure would look something like this:\n\n```bash\nhelm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds\n\nhelm install linkerd-control-plane -n linkerd \\\n --set-file identityTrustAnchorsPEM=ca.crt \\\n --set-file identity.issuer.tls.crtPEM=issuer.crt \\\n --set-file identity.issuer.tls.keyPEM=issuer.key \\\n linkerd/linkerd-control-plane\n```\n\nIn order to upgrade, please delete your previously installed `linkerd2` chart\nand install the new charts as explained above.\n\nAlthough the charts for the main extensions (viz, multicluster, jaeger,\nlinkerd2-cni) were not deprecated, they also stopped creating their namespace\nand users are required to uninstall and reinstall them anew, e.g:\n\n```bash\nhelm install linkerd-viz -n linkerd-viz --create-namespace linkerd/linkerd-viz\n```\n\n* Added a new `--obfuscate` flag to `linkerd diagnostics proxy-metrics` to\n obfuscate potentially private information in the output (thanks\n @ahmedalhulaibi!)\n* Fixed formatting of the recommended value for `--set clusterNetworks` in the\n `linkerd check` output when that parameter doesn't contain all the node\n podCIDRs (thanks @ElvinEfendi!)\n* Skipped evicted pods in `linkerd viz check` and `linkerd jaeger check`, to\n avoid the checks fail unnecessarily\n* Removed some no longer used environment variables from the proxy's manifest\n\n## edge-21.12.2\n\nThis edge removes the default SMI functionality that is included in\ninstallations now that the linkerd-smi extension provides these resources. It\nalso relaxes the `proxy-init`'s `privileged` value to only be set to `true` when\nneeded by certain installation configurations.\n\nAlong with some bug fixes, the repository's issue and feature request templates\nhave been updated to forms; check them when opening a [new\nissue](https://github.com/linkerd/linkerd2/issues/new/choose)! (thanks\n@mikutas).\n\n* Removed SMI functionality in the default Linkerd installation; this is now\n part of the linkerd-smi extension\n* Fixed autocompletion of the `--context` flag (thanks @mikutas!)\n* Added support for conditionally setting `proxy-init`'s `privileged: true` only\n when needed (thanks @alex-berger!)\n* Added support for controlling opaque ports through the Server resource\n* Fixed an issue where `linkerd check` would compare proxy versions of\n uninjected pods leading to incorrect errors\n* Relaxed extension checks so that the CLI still works when not all extension\n proxies are healthy\n* Added the `--default-inbound-policy` flag to `linkerd inject` for setting a\n non-default inbound policy on injected workloads (thanks @ahmedalhulaibi!)\n\n## edge-21.12.1\n\nThis edge release enables by default `EndpointSlices` in the destination\ncontroller, which unblocks any functionality that is specific to\n`EndpointSlices` such as as topology-aware hints. It also contains a couple of\ninternal cleanups and upgrades, by our external contributors!\n\n* Added new check to `linkerd check` verifying the nodes aren't running the old\n Docker container runtime and attempting to run proxy-init as root at the same\n time, which doesn't work (thanks @alex-berger!)\n* Enabled `EndpointSlices` in the destination controller by default\n* Removed extraneous empty lines and fixed the formatting of warnings in the\n output of `linkerd check -o short`\n* Upgraded to go 1.17 (thanks @Juneezee!)\n* Removed old protobuf definitions from the codebase (thanks @krzysztofdrys!)\n\n## edge-21.11.4\n\nThis edge release introduces a change in the destination service to honor\nopaque ports set in the `proxyProtocol` field of `Server` resources. This\nchange makes it possible to set opaque ports directly in `Server` resources\nwithout needing the opaque ports annotation on pods. The release also features\na number of fixes and improvements, a big thank you to our external\ncontributors for their continued support and involvement.\n\n* Added support in the destination service for honoring opaque ports marked in\n `Server` resources; ports can now be marked as opaque directly in `Server`\n resources through the `proxyProtocol` field.\n* Added support to override default behavior and run `proxyInit` as root\n (thanks @alex-berger!)\n* Added multicluster `Link` CRD to code generation script; consumers of the\n multicluster API can now use a typed API to interact with multicluster links\n (thanks @zaharidichev!)\n* Added a multicluster integration test for exported headless services (thanks\n @importhuman!)\n* Deprecated `v1alpha1` version of the policy APIs\n* Removed newline from `linkerd check` header text (thanks @mikutas!)\n* Replaced deprecated `beta.kubernetes.io/os` label with `kubernetes.io/os`\n\n## edge-21.11.3\n\nThis edge releases fixes a compatibility issue that prevented the policy\ncontroller from starting in some Kubernetes distributions. This release also\nincludes a new High Availability mode for the gateway component in multicluster\nextension. Various dependencies across the CNI plugin, Policy Controller and\ndashboard have also been upgraded. In the proxy, error logging when the proxy\nfails to accept a connection due to a system error has been improved.\n\n* Updated policy controller to use `openssl` instead of `rustls` to fix\n compatibility issues with some Kubernetes distributions\n* Added HA mode to multicluster gateway that adds a PodDisruptionBudget,\n additional replicas and anti-affinity to the deployment (thanks @Crevil)\n* Improved TCP server error messages in the proxy\n* Fixed broken Grafana links in the dashboard\n* Upgraded CNI pkg to v0.8.1 in `linkerd-cni` to support latest CNI\n versions\n* Updated various dependencies in the dashboard, policy controller\n (thanks @dependabot)\n\n## edge-21.11.2\n\nThis edge release introduces a new Services page in the web dashboard that shows\nlive calls and route metrics for meshed services. Additionally, the `proxy-init`\ncontainer is no longer enforced to run as root. Lastly, the proxy can now retry\nrequests with a `content-length` header—permitting requests emitted by grpc-go\nto be retried.\n\n* Removed hardcoding that enforced the `proxy-init` container to run as root\n* Added support for retrying requests without a `content-length` header\n* Changed service discovery logs from `TRACE` to `DEBUG`\n* Fixed issue with policy controller where it assumed `linkerd` was the name of\n the control plane namespace, leading to issues with installations that use a\n non-default namespace name\n* Added support for ephemeral storage requests and limits configured either\n through the CLI or annotations (thanks @michaellzc!)\n* Deprecated support for topology keys and added support for topology aware\n hints\n* Added `logFormat` and `logLevel` configuration values for the `proxy-init`\n container (thanks @gusfcarvalho!)\n* Added services to the web dashboard (thanks @krzysztofdrys!)\n* Updated example commands in the web dashboard to use the `viz` subcommand when\n necessary (thanks @mikutas!)\n* Removed references to `linkerd-sp-validator` service account in the\n `linkerd-psp` role binding (thanks @multimac!)\n\n## edge-21.11.1\n\nIn this edge, we're very excited to introduce Service Account Token Volume\nProjections, used to set up the pods' identities. These tokens are bounded\nspecifically for this use case and are rotated daily, replacing the usage of the\ndefault tokens injected by Kubernetes which are overly permissive.\n\nNote that this edge release updates the minimum supported kubernetes version to\n1.20.\n\n* Updated the minimum supported kubernetes version to 1.20\n* Use Service Account Token Volume Projections to set up the pods' identities;\n now injection also works on pods with `automountServiceAccountToken` set to\n `false`\n* Updated proxy-init's Alpine base image to fix some CVEs (not affecting\n Linkerd)\n* Updated the Prometheus image in linkerd-viz to 2.30.3\n* Changed the proxy and policy controller to use jemalloc on x86_64 gnu/linux to\n reduce memory usage\n* Fixed output for `linkerd check -o json`\n* Added ability to configure ephemeral-storage resources for each component\n (thanks @michaellzc!)\n\n## edge-21.10.3\n\nThis edge release fixes a bug in the proxy that could cause it to be killed in\ncertain situations. It also uses a more relaxed policy for the identity\ncontroller that allows it to work in environments where health checks come from\noutside of the pod network.\n\n* Skipped Prometheus scrapes on policy's `admin` server so that it no longer\n incorrectly appears as \"DOWN\" in the Prometheus UI\n* Updated the identity controller to use the 'all-unauthenticated' policy so\n that it can accept health checks from the node IPs\n* Fixed an infinite loop in the proxy that could cause it to be killed\n* Added tests for the multicluster install command (thanks @crevil!)\n* Fixed a bug where `authz` CLI commands would fail when policy resources had\n an empty selector\n\n## edge-21.10.2\n\nThis edge release fixes linkerd check and the helm charts to explicitly\nindicate that the minimum Kubernetes version is 1.17.0. Prior to this change,\nthere was no validation or enforcement from linkerd check or helm to meet this\nminimum requirement.\n\nThis edge also improves `check` functionality for extensions by adding the\n`-oshort` flag, and prevents duplicate policy resources from being created for\nlinked multicluster services.\n\n* Moved service mirror policy into multicluster base chart\n* Added `-oshort` flag for extension `check` commands\n* Updated minimum kubernetes version to 1.17.0\n* Removed unused `crtExpiry` template parameter from helm charts\n* Fixed multicluster gateway name for ServerAuthorization\n* Added `priorityClassName` to the helm charts to configure control plane\n components\n\n## edge-21.10.1\n\nThis release includes some fixes in the `linkerd check`, along with a\nbunch of dependency updates across the dashboard, Go components, and\nothers. On the proxy side, Support for `TLSv1.2` has been dropped\n(Only `TLSv1.3` cipher suite will be used), `h2` crate has been updated\nto support HTTP/2 messages with larger header values.\n\n* Updated `linkerd check` to avoid multiline errors with retryable checks\n* Fixed incorrect opaque ports warning in `linkerd check --proxy` with\n un-named ports\n* Bumped proxy-init to `1.4.1` which adds support for `--log-level`\n and `--log-format` flags (thanks @gusfcarvalho)\n* Removed the use of `TLSv1.2` in the proxy\n* Updated the `h2` crate in the proxy to support HTTP/2 messages with\n larger header values.\n* Updated various dependencies across the dashboard, policy-controller, etc\n (thanks @dependabot!)\n\n## stable-2.11.0\n\nThis release introduces access control policies. Default policies may be\nconfigured at the cluster- and workspace-levels; and fine grained policies may\nbe instrumented via the new `policy.linkerd.io/v1beta1` CRDs: `Server` and\n`ServerAuthorization`. These resources may be created to define how individual\nports accept connections; and the `Server` resource will be a building block for\nfuture features that configure inbound proxy behavior.\n\nFurthermore, `ServiceProfile` retry configurations can now instrument retries\nfor requests with bodies. This unlocks retry behavior for gRPC services.\n\n**Upgrade notes**: Please see the [upgrade instructions][upgrade-2110].\n\n* Proxy\n * Reduced CPU & Memory usage by up to 30% in some load tests\n * Updated retries to support requests with bodies up to 64KB. ServiceProfiles\n may now configure retries for gRPC services\n * The proxy's container image is now based on `gcr.io/distroless/cc` to\n contain a minimal OS footprint that should not trigger unnecessary alerts in\n security scanners\n * Added the `inbound_http_errors_total` and `outbound_http_errors_total`\n metrics to reflect errors that caused the proxy to respond with errors\n * Added an `l5d-proxy-error` header that is included on responses on trusted\n connections for debugging purposes\n * Added a `l5d-client-id` header on mutually-authenticated inbound requests so\n that applications can discover the client's identity\n * Added metrics to reflect TCP and HTTP authorization decisions\n * Added `srv_name` and `saz_name` labels to inbound HTTP metrics\n * Fixed an issue that could cause the proxy to continually reconnect to\n defunct service endpoints\n * Dropped support for non-HTTP outbound services when `linkerd.io/inject:\n ingress` is used\n * Instrumented fuzz testing to help guard against unexpected panics\n\n* Control Plane\n * Added a new `policy-controller` container to the `linkerd-destination`\n pod--the first control plane component implemented in Rust\n * Added a new admission controller to validate that multiple `Server`\n resources do not reference the same port\n * Added a `linkerd-identity-trust-roots` ConfigMap which configures the trust\n root bundle for all pods in the core control plane namespace\n * Eliminated the `linkerd-controller` deployment so that Linkerd's core\n control plane now consists of only 3 deployments\n * Updated the proxy injector to configure the `proxy-init` container with\n `NET_RAW` and `NET_ADMIN` capabilities so that the container does not fail\n when the pod drops these capabilities\n\n* CLI\n * Enhanced `linkerd completion` to expand Kubernetes resources from the current\n kubectl context\n * Added an `authz` subcommand to display the authorization policies that\n impact a workload\n * Added a _short_ output mode for `linkerd check` that only prints failed\n checks\n * Added support for `ReplicaSets` to `linkerd stat` so that pods created by\n Argo `Rollout` resources can be inspected\n\n* Helm: please see the [upgrade instructions][upgrade-2110].\n\n* Extensions:\n * Introduced a new (optional) SMI extension responsible for reading\n `specs.smi-spec.io` resources and converting them to Linkerd resources\n * In `stable-2.12`, this extension will be required to use `TrafficSplit`\n resources with Linkerd\n * Added an extensions page to the Linkerd Web UI\n\n * Viz\n * Added `Server` and `ServerAuthorization` resources for all ports\n * Added JSON log formatting\n\n * Jaeger\n * Added OpenTelemetry collector instead of OpenCensus\n\n * Multicluster\n * Added experimental support for `StatefulSet` workloads\n\nThis release includes changes from a massive list of contributors. A special\nthank-you to everyone who helped make this release possible:\n\nGustavo Fernandes de Carvalho @gusfcarvalho\nOleg Vorobev @olegy2008\nBart Peeters @bartpeeters\nStepan Rabotkin @EpicStep\nLiuDui @xichengliudui\nAndrew Hemming @drewhemm\nUjjwal Goyal @importhuman\nKnut Götz @knutgoetz\nSanni Michael @sannimichaelse\nBrandon Sorgdrager @bsord\nGerald Pape @ubergesundheit\nAlexey Kostin @rumanzo\nrdileep13 @rdileep13\nTakumi Sue @mikutas\nAkshit Grover @akshitgrover\nSanskar Jaiswal @aryan9600\nAleksandr Tarasov @aatarasoff\nTaylor @skinn\nMiguel Ángel Pastor Olivar @migue\nwangchenglong01 @wangchenglong01\nJosh Soref @jsoref\nCarol Chen @kipply\nPeter Smit @psmit\nTarvi Pillessaar @tarvip\nJames Roper @jroper\nDominik Münch @muenchdo\nSzymon Gibała @Szymongib\nMitch Hulscher @mhulscher\n\n[upgrade-2110]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2110\n\n## edge-21.9.5\n\nThis edge is a release candidate for `stable-2.11.0`, containing a couple of\nimprovements to `linkerd check`, some final tweaks before the stable release,\nand a couple of contributions from the community.\n\n* Had `linkerd check --proxy` stop failing on pods that are in Shutdown status\n (thanks @olegy2008!)\n* Lowered from error to warning a failed check on misconfigured opaque ports\n annotations, given that doesn't imply the installation is broken\n* Added log level and format settings to all the viz components (thanks\n @gusfcarvalho!)\n* Removed label from the multicluster gateway and service-mirror pods to allow\n them to be properly rolled out when upgrading\n\n## edge-21.9.4\n\nThis edge is a release candidate for `stable-2.11.0`! It introduces a new\n`linkerd viz auth` command which shows metrics for server authorizations broken\ndown by server for a given resource. It also shows the rate of unauthorized\nrequests to each server. This is helpful for seeing a breakdown of which\nauthorizations are being used and what proportion of traffic is being rejected.\n\nIt also fixes an issue in the proxy where HTTP load balancers could continue\ntrying to establish connections to endpoints that were removed from service\ndiscovery. In addition it improves the proxy's error handling so that it can\nsignal to an inbound proxy when its peers outbound connections should be torn\ndown.\n\n* Changed destination watch updates from `info` to `debug` to reduce the amount\n of logs (thanks @bartpeeters!)\n* Added the `linkerd viz auth` command which shows metrics for server\n authorizations broken down by server for a given resource\n* Fixed an issue where the policy controller's validating admission webhook\n attempted to validate ServerAuthorizations when it should only be validating\n Servers\n* Removed `omitWebhookSideEffects` setting now that we no longer support\n Kubernetes 1.12\n* Improved proxy error handling so that it can signal to its peers that their\n outbound connections should be torn down\n* Fixed an issue where after upgrades there would be a mismatch in certs used by\n the policy controller validator; the destination pod is now restarted similar\n to the injector\n* Fixed a field reference in the Helm template to properly refer to\n `profileValidator.namespaceSelector`\n* Updated policy CRD versions to `v1beta1`\n* Added support for `stat`'s `-o json` option to Server resources\n* Fixed an issue in the proxy where HTTP load balancers could continue trying to\n establish connections to endpoints that were removed from service discovery\n* Added JSON output format to `linkerd viz authz` command\n\n## edge-21.9.3\n\nThis edge is a release candidate for `stable-2.11.0`! It features a new `linkerd\nauthz` CLI command to list servers and authorizations for a workload, as well as\npolicy resources support for `linkerd viz stat`. Furthermore, this edge release\nadds support for JSON log formatting, enables TLS detection on port 443\n(previously marked as opaque), and further improves policy features.\n\n* Removed port 443 from the default list of opaque ports, this will allow the\n proxy to report metadata (such as the connection's SNI value) on TLS\n connections to port 443\n* Added default policies for core Linkerd extensions\n* Added support for JSON log formatting to the policy controller\n* Added support for new policy resources to `viz stat` command\n* Added default policy annotation to `linkerd-identity`\n* Added a new `linkerd authz` command to the CLI to list all server and\n authorization resources that apply to a specific resource\n* Added TLS labels (including client identity) to authorization metrics in the\n proxy\n* Changed the opaque ports CLI check to consider service and pod ports when\n checking annotation values; previously, the check would naively issue warnings\n when the service annotation values were different from the pod it selected\n* Changed how the proxy forwards inbound connections to a pod locally; the proxy\n now targets the original address instead of a port bound on localhost to\n protect services that are only bound on loopback from being exposed to other\n pods\n* Improved memory utilization in the proxy, especially for TCP forwarding, where\n the memory allocated was reduced from 128KB to 16KB\n* Updated the inbound policy system for the proxies to always allow connections\n from localhost\n* Fixed an issue where the policy controller would not detect changes to the\n `proxyProtocol` field of `Server` resources\n* Fixed an issue where the policy admission controller would log a `WARN`\n message when deserializing `Server` structs\n\n## edge-21.9.2\n\nThis edge release gets us closer to 2.11 by further polishing the policy\nfeature. Also the proxy received a noticeable resource consumption improvement.\n\n* Stopped creating the default authorizations for the kubelet\n* Added missing ports to the destination controller's default list of ports, to\n allow the sp-validator to start properly when using a default-deny policy\n* Set the destination and proxy-injector pods default policy to\n `all-unauthenticated` to allow the webhooks to be called from the kube-api\n when using a default-deny policy\n* Extended inbound policies to cover the proxy's admin server\n* Improved the proxy's error handling so that HTTP metrics include 5XX responses\n for common errors\n* The proxy's outbound tap has been fixed to include route labels when service\n profiles are configured\n* Enabled link-time optimizations in the Rust components (proxy and policy\n controller), resulting in noticeable RSS and CPU consumption improvements\n* Made the admin servers in the control plane components properly shut down\n (thanks @EpicStep!)\n* Updated linkerd-await, suppressing the error emitted when linkerd-await was\n disabled\n\n## edge-21.9.1\n\nThis release includes various improvements and feature additions across the policy\nfeature i.e, New validating webhook for policy resources. This also includes changes\nin the proxy i.e, terminating TCP connections when a authorization is revoked, improvements\nin the proxy authorization metrics. In addition, proxy injector has also been updated\nto set the right `opaque-ports` annotation on services with default opaque ports.\n\n* Added a new validating admission controller to validate the policy resources\n* Updated the proxy-init to remove a rule which caused the packets from the proxy\n with destination != 127.0.0.1 on localhost to be sent to the inbound proxy\n* Updated inbound policy enforcement to interrupt TCP forwarding if a previously\n established authorization is revoked\n* Added new proxy metrics to expose authorization decisions\n* Updated inbound TCP metrics to only include a `srv_name` label\n* Updated the proxy to export route-oriented metrics only when a ServiceProfile\n is enabled\n* Updated the proxy's release build configuration to improve CPU and memory\n utilization\n* Added DNS name validation to the `proxy-identity` binary which creates the\n read-only private key required by the proxy (thanks @yorkijr!)\n* Updated the identity controller's default policy to be `cluster-unauthenticated`\n* Updated the proxy injector to include the correct default ports as opaque with\n services\n* Deprecated the usage of `vis stat ts` and print a warning about the SMI extension\n* Updated various dependencies across the dashboard, policy-controller\n (thanks @dependabot!)\n\n## edge-21.8.4\n\nThis edge release continues to build on the policy feature by adding support for\ncluster-scoped default policies and exposing policy labels on various prometheus\nmetrics. The proxy has been updated to return HTTP-level authorization errors\nat the time that the request is processed, instead of when the connection is\nestablished.\n\nIn addition, the proxy-injector has been updated to set the `opaque-ports`\nannotation on a workload to make sure that controllers can discover how the\nworkload was configured. Also, the `sleep` binary has been added to the proxy\nimage in order to restore the functionality required for `waitBeforeExitSeconds`\nto work.\n\n* Added `default-inbound-policy` annotation to the proxy-injector\n* Updated the proxy-injector to always add the `opaque-ports` annotation\n* Added `sleep` binary to proxy image\n* Updated inbound traffic metrics to include server and authorization labels\n* Updated the policy-controller to honor pod level port annotations when a\n `Server` resource definition does not match the ports defined for the workload\n* Updated the point at which the proxy returns HTTP-level authorization errors\n* Exposed permit and policy labels on HTTP metrics\n* Added support for cluster-scoped default policies\n* Dropped `nonroot` variant from the policy-controller's distroless base image\n to avoid erroring in some environments.\n\n## edge-21.8.3\n\nThis release adds support for dynamic inbound policies. The proxy now discovers\npolicies from the policy-controller API for all application ports documented in\na pod spec. Rejected connections are logged. Policies are not yet reflected in\nthe proxy's metrics.\n\nThese policies also allow the proxy to skip protocol detection when a server is\nexplicitly annotated as HTTP/2 or when the server is documented to be opaque or\napplication-terminated TLS.\n\n* Added a new section to linkerd-viz's dashboard that lists installed extensions\n (thanks @sannimichaelse!)\n* Added the `enableHeadlessServices` Helm flag to the `linkerd multicluster\n link` command for enabling headless service mirroring (thanks @knutgoetz!)\n* Removed some unused and duplicate constants in the codebase (thanks\n @xichengliudui!)\n* Added support for exposing service metadata from exported to mirrored services\n in multicluster installations (thanks @importhuman!)\n* Fixed an issue where the policy controller's liveness checks would fail after\n the controller was disconnected but had successfully resumed its watches\n* Fixed the `linkerd-policy` service selector to properly select `destination`\n control plane components\n* Added additional environment variables to the proxy container to allow support\n for dynamic policy configuration\n\n## edge-21.8.2\n\nThis edge release continues the policy work by adding a new controller, written\nin Rust, to expose a discovery API for inbound server policies. Apart from\nthat, this release includes a number of changes from external contributors; the\n`linkerd-jaeger` helm chart now supports passing arguments to the Jaeger\ncontainer through the chart's values file. A number of unused functions and\nvariables have been also removed to improve the quality of the codebase.\nFinally, this release also comes with changes to the proxy's outbound behavior,\na new extensions page on the dashboard, and support for querying service\nmetrics using the `authority` label in `linkerd viz stat`.\n\n* Introduced new `linkerd-policy-controller`; the new controller is written in\n Rust and implements discovery APIs for inbound server policies, the container\n has been added to the `linkerd-destination` pod\n* Updated `linkerd-jaeger` helm chart to support passing arguments to the\n Jaeger container (thanks @bsord!)\n* Added support for querying service metrics using the `authority` label in\n `linkerd viz stat`\n* Improved code hygiene by removing unused constants and functions throughout\n the codebase (thanks @xichengliudui!)\n* Added a new extensions page to the dashboard to list all known built-in and\n third party extensions that can be used with Linkerd\n* Changed outbound behavior in the proxy to tear down server-side connections\n when the remote proxy returns responses that indicate proxy errors; the\n connection in this case will be reset to allow clients to connect to a new\n endpoint\n\n## edge-21.8.1\n\nThis releases includes initial changes w.r.t addition of Authorization into\nLinkerd. It includes adding the new `policy.linkerd.io` CRDs to the core install.\nThis also includes numerous dependency updates both in the web and dashboard.\n\n* Added `servers.policy.linkerd.io` and `serverauthorizations.policy.linkerd.io`\n CRDs into the default Linkerd installation to support configuration and\n discovery of inbound policies\n* Modified the proxy to support upcoming policy features\n* Updated several dashboard dependencies to latest versions\n* Updated several proxy dependencies to latest versions\n\n## edge-21.7.5\n\nThis release updates Linkerd to store the identity trust root in a ConfigMap to\nmake it easier to manage and rotate the trust root. The release also lays the\ngroundwork for StatefulSet support in the multicluster extension and removes\ndeprecated PSP resources by default.\n\n* Added a `linkerd-identity-trust-roots` ConfigMap which contains the configured\n trust root bundle\n* Introduced support for StatefulSets across multicluster (disabled by default)\n* Stopped installing PSP resources by default since these are deprecated as\n of Kubernetes v1.21\n\n## edge-21.7.4\n\nThis release continues to focus on dependency updates. It also adds the\n`l5d-proxy-error` information header to distinguish proxy generated errors\nproxy generated errors from application generated errors.\n\n* Updated several project dependencies\n* Added a new `l5d-proxy-error` on responses that allows proxy-generated error\n responses to be distinguished from application-generated error responses.\n* Removed support for configuring HTTP/2 keepalives via the proxy.\n Configuring this setting would sometimes cause conflicts with Go gRPC servers\n and clients\n* Added a new `target_addr` label to `*_tcp_accept_errors` metrics to improve\n diagnostics, especially for TLS detection timeouts\n\n## edge-21.7.3\n\nThis edge release introduces several changes around metrics. ReplicaSets are now\na supported resource and metrics can be associated with them. A new metric has\nbeen added which counts proxy errors encountered before a protocol can be\ndetected. Finally, the request errors metric has been split into separate\ninbound and outbound directions.\n\n* Fixed printing `check --pre` command usage if it fails after being unable to\n connect to Kubernetes (thanks @rdileep13!)\n* Updated the default skip and opaque ports to match that which is listed in the\n [documentation](https://linkerd.io/2.10/features/protocol-detection/#configuring-protocol-detection)\n* Added the `LINKERD2_PROXY_INBOUND_PORTS` environment variable during proxy\n injection which will be used by ongoing policy changes\n* Added client-go cache size metrics to the `diagnostics controller-metrics`\n command\n* Added validation that the certificate provided by an external issuer is a CA\n (thanks @rumanzo!)\n* Added metrics support for ReplicaSets\n* Replaced the `request_errors_total` metric with two new metrics:\n `inbound_http_errors_total` and `outbound_http_errors_total`\n* Introduced the `inbound_tcp_accept_errors_total` and\n `outbound_tcp_accept_errors_total` metrics which count proxy errors\n encountered before a protocol can be detected\n\n## edge-21.7.2\n\nThis edge release focuses on dependency updates and has a couple of functional\nchanges. First, the Dockerfile used to build the proxy has been updated to use\nthe default `distroless` image, rather than the non-root variant. This change\nis safe because the proxy already runs as non-root within the container. Second,\nthe `ignoreInboundPorts` parameter has been added in the linkerd2-cni helm\ncharts in order to enable tap support.\n\n* Updated several project dependencies\n* Updated the Dockerfile-proxy to use the default distroless image, because\n the proxy already runs as non-root within the container\n* Added `ignoreInboundPorts` parameter to the linkerd2-cni plugin helm chart\n\n## edge-21.7.1\n\nThis edge release adds support for emitting Kubernetes events in the identity\ncontroller when issuing leaf certificates. The event includes the identity,\nexpiry date, and a hash of the certificate. Additionally, this release contains\nmany dependency updates for the control plane's components, and it includes a\nfix for an issue with the clusterNetworks healthcheck.\n\n* Updated the identity controller to emit Kubernetes events when successfully\n issuing leaf certificates to injected pods.\n* Fixed an issue in `linkerd check` where the clusterNetworks healthcheck\n would fail if the `podCIDR` field is omitted from a node's spec.\n* Removed unnecessary controller port-forward logic from the `bin/web` script.\n\n## edge-21.6.5\n\nThis release contains a few improvements, from many contributors! Also under\nthe hood, the destination service has received updates in preparation to the\nupcoming support for StatefulSets across multicluster.\n\n* Improved the `linkerd check --proxy` command to avoid hitting a timeout when\n dealing with large clusters\n* Fixed the web component permissions in order to properly run the podCIDR check\n (thanks @aryan9600!)\n* Avoid having the proxy-init container fail when the main container is\n configured to drop either the NET_RAW or NET_ADMIN capabilities (thanks\n @aryan9600!)\n* Upgraded the proxy-init image to improve the output in \"simulate\" mode (thanks\n @liuerfire!) and to log to stdout instead of stderr (thanks @mo4islona!)\n* Added test-coverage reports to PRs (thanks @akshitgrover!)\n\n## edge-21.6.3\n\nThis release moves the Linkerd proxy to a more minimal Docker base image,\nadds a check for detecting certain network misconfigurations, and replaces\nthe deprecated OpenCensus collector with the OpenTelemetry collector in the\njaeger extension.\n\n* Switched the Linkerd proxy's base docker image from Debian to a minimal\n distroless base image (thanks @tskinn!)\n* Added a check to verify that Linkerd's clusterNetworks settings match the\n cluster's pod CIDR networks (thanks @aryan9600!)\n* Replaced the deprecated OpenCensus collector with the OpenTelemetry\n collector in the jaeger extension (thanks @aatarasoff!)\n\n## edge-21.6.2\n\nThis release fixes a problem with the HTTP body buffering that was added\nto support gRPC retries. Now, only requests with a retry configuration\nare buffered (and only when their bodies are less than 64KB).\n\nAdditionally, an issue with the outbound ingress-mode proxy where forwarded\nHTTP clients could fail to detect when the target pod was deleted, causing\nconnections to retry forever has been fixed. This only impacted traffic\nforwarded directly to pod IPs and not load balanced services.\n\nFinally, this release also includes some fixes in the CLI and dashboard.\n\n* Added a new check that verifies if the opaque ports annotation is\n misconfigured on services or pods (thanks @migue!)\n* Added support for resource aware completion for core linkerd command\n* Fixed an issue where `namespace` resource was erroneously being shown\n in the dashboard's topology graph\n* Added uninstall command support for legacy extension installs\n* Updated the proxy to only buffer request bodies when a request can be retried\n* Updated the proxy to prevent buffering indefinitely on requests\n when endpoints are updated in ingress mode\n* Fixed spelling mistakes across various files in the project\n (thanks @jsoref!)\n\n## edge-21.6.1\n\nThis release adds support for retrying HTTP/2 requests with small (<64KB)\nmessage bodies, allowing the proxy to properly buffer message bodies when\nresponses are classified as a failure. Documentation on how to configure\nretries can be found [here](https://linkerd.io/2.10/tasks/configuring-retries/).\n\nThis release also modifies the proxy's identity subsystem to instantiate a\nclient on-demand so client connections are not retained continually. Also\nincluded in this release are various bug fixes and improvements as well as\nexpanding support for resource-aware tab completion in the jaeger and\nmulticluster CLI extensions.\n\n* Added support for specifying a `gateway-port` flag for the `multicluster link`\n command (thanks @psmit!)\n* Added support for Kubernetes resource aware tab completion for `jaeger` and\n `multicluster` commands\n* Fixed an issue where `viz`, `jaeger` and `multicluster` extensions could not\n be installed on `PodSecurityPolicy`-enabled clusters\n* Fixed an issue where `linkerd check --proxy` could incorrectly report\n out-of-date proxy versions caused by incorrect regex (thanks @aryan9600!)\n* Added support for the proxy to retry HTTP/2 requests with message bodies\n <= 64KB\n* Modified the proxy's controller stack to create new client connections\n on-demand\n* Fixed Viz's `uninstall` command to remove viz installations that used the\n legacy `linkerd.io/extension: linkerd-viz` label (thanks @jsoref!)\n* Expanded the \"linkerd-existence\" health check to also check for the\n destination pod readiness\n\n## edge-21.5.3\n\nThis edge release contains various improvements to the Viz and Jaeger install\ncharts, along with bug fixes in the CLI, and destination. This release also\nadds kubernetes aware autocompletion to all viz commands, along with\nServiceProfiles to be part of the default `viz install`.\n\nFinally, the proxy has been updated to continue supporting requests without\n`l5d-dst-override` in ingress-mode proxies, to no longer include query parameters\nin the OpenCensus trace spans, and to prevent timeouts with controller clients\nof components with more than one replica.\n\n* Separated protocol hint setting from H2 upgrades in destination profile\n response, thus preventing `hint.OpaqueTransport` field from not being set when\n H2 upgrades are disabled\n* Updated OpenCensus trace spans for HTTP requests to no longer include query\n parameters (thanks @aatarasoff!)\n* Reverted [linkerd/linkerd2-proxy#992](https://github.com/linkerd/linkerd2-proxy/pull/992)\n to support requests without `l5d-dst-override` in ingress-mode proxies\n* Fixed an issue in the proxy to prevent timeouts with controller clients\n of components with more than one replica\n* Fixed `linkerd check --proxy` failure with pods that are part of Jobs\n* Updated `viz install` to also include ServiceProfiles of its components.\n As a side-effect, `linkerd diagnostics install-sp` cmd has been removed\n* Added support for Kubernetes resource aware tab completion for all\n viz commands\n* Updated destination to prefer `ServiceProfile.dstOverrides` over\n `TrafficSplit` when both are present for a service\n* Added toggle flags for `collector` and `jaeger` components in the\n jaeger extension (thanks @tarvip!)\n* Added support for setting `nodeselector`, `toleration` fields for components\n in the Viz extension (thanks @aatarasoff!)\n* Fixed a templating issue in Viz, making `podAnnotations` field\n work with prometheus\n* Updated Golang version to 1.16.4\n* Removed unnecessary `--addon-overwrite` flag in `linkerd upgrade`\n\n## edge-21.5.2\n\nThis edge release updates the proxy-init container to check whether the iptables\nrules have already been added, which prevents errors if the proxy-init container\nis restarted. Also, the `viz stat` command now has tab completion for Kubernetes\nresources, saving you precious keystrokes! Finally, the proxy has been updated\nwith several fixes and improvements.\n\n* Added instructions to `build.md` for using a locally built proxy\n (thanks @jroper!)\n* Added support for Kubernetes resource aware tab completion to the `viz stat`\n command\n* Updated `proxy-init` to skip configuring firewall if rules exists\n* Fixed `viz uninstall` to delete all RBAC objects (thanks @aryan9600!)\n* Improved diagnostics for rejected profile discovery\n* Added the `l5d-client-id` header on mutually-authenticated inbound requests so\n that applications can discover the client's identity.\n* Reduced proxy resource usage when there are no profiles\n* Changed the admin server to assume all meshed connections are HTTP/2 and fail\n connections when that is not the case\n* Updated the proxy to require the `l5d-dst-override` header on outbound\n requests when the proxy is in ingress-mode\n* Removed support for TCP-forwarding in ingress-mode\n\n## edge-21.5.1\n\nThis edge release adds support for versioned hint URLs in `linkerd check` and\nsupport for traffic splitting through ServiceProfiles, among other fixes and\nimprovements. Additionally, more options have been added to the\nlinkerd-multicluster and linkerd-jaeger helm charts.\n\n* Added support for traffic splitting through a ServiceProfile's `dstOverrides`\n field.\n* Added `nodePorts` option to the multicluster helm chart (thanks @psmit!).\n* Added `nodeSelector` and toleration options to the linkerd-jaeger helm chart\n (thanks @aatarasoff!).\n* Added versioned hint URLs to the CLI `check` command when encountering an\n error; each major CLI version will now point to that version's relevant\n section in the Linkerd troubleshooting page.\n* Fixed an issue in the CLI `check` command where error messages for\n healthchecks that were being retried would be outputted repeatedly instead of\n just once.\n* Fixed an issue in the proxy injector where a namespace annotated with opaque\n ports would overwrite all service annotations.\n* Fixed a regression in the proxy that caused all logs to be output with ANSI\n control characters, by default logs are output in plaintext now.\n* Simplified proxy internals in order to distinguish endpoint-forwarding logic\n from the handling of load balanced services.\n* Simplified the ingress-mode outbound proxy by requiring the\n `l5d-dst-override` header and by failing non-HTTP communication. Proxies\n running in ingress-mode will not unexpectedly revert to insecure\n communication as a result.\n\n## edge-21.4.5\n\nThis edge release adds a new output format `short` for `linkerd check` to show a\nsummary of the check output. This release also includes various proxy bug fixes\nand improvements.\n\n* Proxy\n * Fixed a task leak that would be triggered when clients disconnect a\n service in failfast.\n * Improved admin server protocol detection so that error messages are\n more descriptive about the underlying problem.\n * Fixed panics found in fuzz testing. These panics were extremely\n unlikely to occur in practice and would require very specific\n configuration overrides to be triggered.\n* CLI\n * Added support for a new `short` format for the `--output` flag of the `check`\n command to show a summary of check results\n\n## edge-21.4.4\n\nThis edge release further consolidates the control plane by removing the\nlinkerd-controller deployment and moving the sp-validator container into the\ndestination deployment.\n\nAnnotation inheritance has been added so that all Linkerd annotations\non a namespace resource will be inherited by pods within that namespace.\nIn addition, the `config.linkerd.io/proxy-await` annotation has been added which\nenables the [linkerd-await](https://github.com/linkerd/linkerd-await)\nfunctionality by default, simplifying the implementation of the await behavior.\nSetting the annotation value to disabled will prevent this behavior.\n\nSome of the `linkerd check` functionality has been updated. The command\nensures that annotations and labels are properly located in the YAML and adds\nproxy checks for the control plane and extension pods.\n\nFinally, the nginx container has been removed from the Multicluster gateway pod,\nwhich will impact upgrades. Please see the note below.\n\n**Upgrade note:** When the Multicluster extension is updated in both of the\nsource and target clusters there won't be any downtime because this change only\naffects the readiness probe. The multicluster links must be re-generated with\nthe `linkerd mc link` command and the `linkerd mc gateways` will show\nthe target cluster as not alive until the `linkerd mc link` command is re-run,\nhowever that shouldn't affect existing endpoints pointing to the target cluster.\n\n* Added proxy checks for core control plane and extension pods\n* Added support for awaiting proxy readiness using an annotation\n* Added namespace annotation inheritance to pods\n* Removed the linkerd-controller pod\n* Moved sp-validator container into the destination deployment\n* Added check verifying that labels and annotations are not mixed up\n (thanks @szymongib)\n* Enabled support for extra initContainers to the linkerd-cni daemonset\n (thanks @mhulscher!)\n* Removed nginx container from multicluster gateway pod\n* Added an error message when there is nothing to uninstall\n\n## stable-2.10.1\n\nThis stable release adds CLI support for Apple Silicon M1 chips and support for\nSMI's TrafficSplit `v1alpha2`.\n\nThere are several proxy fixes: handling `FailedPrecondition` errors gracefully,\ninbound TLS detection from non-meshed workloads, and using the correct cached\nclient when the proxy is in ingress mode. The logging infrastructure has also\nbeen improved to reduce memory pressure in high-connection environments.\n\nOn the control-plane side, there have been several improvements to the\ndestination service such as support for Host IP lookups and ignoring pods\nin \"Terminating\" state. It also updates the proxy-injector to add opaque ports\nannotation to pods if their namespace has it set.\n\nOn the CLI side, `linkerd repair` has been updated to be aware about the control-plane\nversion and suggest the relevant version to generate the right config. Various\nbugs have been fixed around `linkerd identity`, etc.\n\n**Upgrade notes**: Please refer [2.10 upgrade instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2100)\nif you are upgrading from `2.9.x` or below versions.\n\n* Proxy:\n * Fixed an issue where proxies could infinitely retry failed requests to the\n `destination` controller when it returned a `FailedPrecondition`\n * The proxy's logging infrastructure has been updated to reduce memory pressure\n in high-connection environments.\n * Fixed a caching issue in the outbound proxy that would cause it to\n forward traffic to the wrong pod when running in ingress mode.\n * Fixed an issue where inbound TLS detection from non-meshed workloads\n could break\n * Fixed an issue where the admin server's HTTP detection would fail and\n not recover; these are now handled gracefully and without logging warnings\n * Control plane proxies no longer emit warnings about the resolution stream ending.\n This error was innocuous.\n * Bumped the proxy-init image to v1.3.11 which updates the go version to be 1.16.2\n\n* Control Plane:\n * Fixed an issue where the destination service would respond with too big of a\n header and result in http2 protocol errors\n * Fixed an issue where the destination control plane component sometimes returned\n endpoint addresses with a 0 port number while pods were undergoing a rollout\n (thanks @riccardofreixo!)\n * Fixed an issue where pod lookups by host IP and host port fail even though\n the cluster has a matching pod\n * Updated the IP Watcher in destination to ignore pods in \"Terminating\" state\n (thanks @Wenliang-CHEN!)\n * Modified the proxy-injector to add the opaque ports annotation to pods\n if their namespace has it set\n * Added Support for TrafficSplit `v1alpha2`\n * Updated all the control-plane components to use go `1.16.2`.\n\n* CLI:\n * Fixed an issue where the linkerd identity command returned the root\n certificate of a pod instead of its leaf certificates\n * Fixed an issue where the destination service would respond with too\n big of a header and result in http2 protocol errors\n * Updated the release process to build Linkerd CLI binaries for Apple\n Silicon M1 chips\n * Improved error messaging when trying to install Linkerd on a cluster\n that already had Linkerd installed\n * Added a loading spinner to the linkerd check command when running\n extension checks\n * Added installNamespace toggle in the jaeger extension's install.\n (thanks @jijeesh!)\n * Updated healthcheck pkg to have hintBaseURL configurable, useful\n for external extensions using that pkg\n * Fixed TCP read and write bytes/sec calculations to group by label\n based off inbound or outbound traffic\n * Fixed an issue in linkerd inject where the wrong annotation would\n be added when using --ingress flag\n * Updated `linkerd repair` to be aware of the client and server versions\n * Updated `linkerd uninstall` to print error message when there are no\n resources to uninstall.\n\n* Helm:\n * Aligned the Helm installation heartbeat schedule to match that of the CLI\n\n* Viz:\n * Fixed an issue where the topology graph in the dashboard was no\n longer draggable.\n * Updated dashboard build to use webpack v5\n * Added CA certs to the Viz extension's metrics-api container so\n that it can validate the certificate of an external Prometheus\n * Removed components from the control plane dashboard that now\n are part of the Viz extension\n * Changed web's base image from debian to scratch\n\n* Multicluster:\n * Fixed an issue with Multicluster's service mirror where its endpoint\n repair retries were not properly rate limited\n\n* Jaeger:\n * Fixed components in the Jaeger extension to set the correct Prometheus\n scrape values\n\n## edge-21.4.3\n\nThis edge supersedes `edge-21.4.2` as a release candidate for `stable-2.10.1`!\n\nThis release adds support for TrafficSplit `v1alpha2`. Additionally, It includes\nimprovements to the web and `proxy-init` images.\n\n* Added Support for TrafficSplit `v1alpha2`\n* Changed web base image from debian to scratch\n* Bumped the `proxy-init` image to `v1.3.11` which updates\n the go version to be `1.16.2`\n\n## edge-21.4.2\n\nThis edge release is another candidate for `stable-2.10.1`!\n\nIt includes some CLI fixes and addresses an issue where the outbound proxy\nwould forward traffic to the wrong pod when running in ingress mode.\n\nThank you to all of our users that have helped test and identify issues in 2.10!\n\n* Fixed an issue in `linkerd inject` where the wrong annotation would be\n added when using `--ingress` flag\n* Fixed a nil pointer dereference in `linkerd repair` caused by a mismatch\n between CLI and server versions\n* Removed an unnecessary error handling condition in multicluster check\n (thanks @wangchenglong01!)\n* Fixed a caching issue in the outbound proxy that would cause it to\n forward traffic to the wrong pod when running in ingress mode.\n* Removed unsupported `matches` field from TrafficSplit CRD\n\n## edge-21.4.1\n\nThis is a release candidate for `stable-2.10.1`!\n\nThis includes several fixes for the core installation as well the Multicluster,\nJaeger, and Viz extensions. There are two significant proxy fixes that address\nTLS detection and admin server failures.\n\nThanks to all our 2.10 users who helped discover these issues!\n\n* Fixed TCP read and write bytes/sec calculations to group by label based off\n inbound or outbound traffic\n* Updated dashboard build to use webpack v5\n* Modified the proxy-injector to add the opaque ports annotation to pods if\n their namespace has it set\n* Added CA certs to the Viz extension's `metrics-api` container so that it can\n validate the certificate of an external Prometheus\n* Fixed an issue where inbound TLS detection from non-meshed workloads could\n break\n* Fixed an issue where the admin server's HTTP detection would fail and not\n recover; these are now handled gracefully and without logging warnings\n* Aligned the Helm installation heartbeat schedule to match that of the CLI\n* Fixed an issue with Multicluster's service mirror where it's endpoint repair\n retries were not properly rate limited\n* Removed components from the control plane dashboard that now are part of the\n Viz extension\n* Fixed components in the Jaeger extension to set the correct Prometheus scrape\n values\n\n## edge-21.3.4\n\nThis release fixes some issues around publishing of CLI binary\nfor Apple Silicon M1 Chips. This release also includes some fixes and\nimprovements to the dashboard, destination, and the CLI.\n\n* Fixed an issue where the topology graph in the dashboard was no longer\n draggable\n* Updated the IP Watcher in destination to ignore pods in \"Terminating\" state\n (thanks @Wenliang-CHEN!)\n* Added `installNamespace` toggle in the jaeger extension's install.\n (thanks @jijeesh!)\n* Updated `healthcheck` pkg to have `hintBaseURL` configurable, useful\n for external extensions using that pkg\n* Added multi-arch support for RabbitMQ integration tests (thanks @barkardk!)\n\n## edge-21.3.3\n\nThis release includes various bug fixes and improvements to the CLI, the\nidentity and destination control plane components as well as the proxy. This\nrelease also ships with a new CLI binary for Apple Silicon M1 chips.\n\n* Added new RabbitMQ integration tests (thanks @barkardk!)\n* Updated the Go version to 1.16.2\n* Fixed an issue where the `linkerd identity` command returned the root\n certificate of a pod instead of its leaf certificate\n* Fixed an issue where the destination service would respond with too big of a\n header and result in http2 protocol errors\n* Updated the release process to build Linkerd CLI binaries for Apple Silicon\n M1 chips\n* Improved error messaging when trying to install Linkerd on a cluster that\n already had Linkerd installed\n* Fixed an issue where the `destination` control plane component sometimes\n returned endpoint addresses with a `0` port number while pods were\n undergoing a rollout (thanks @riccardofreixo!)\n* Added a loading spinner to the `linkerd check` command when running extension\n checks\n* Fixed an issue where pod lookups by host IP and host port fail even though\n the cluster has a matching pod\n* Control plane proxies no longer emit warnings about the resolution stream\n ending. This error was innocuous.\n* Fixed an issue where proxies could infinitely retry failed requests to the\n `destination` controller when it returned a `FailedPrecondition`\n* The proxy's logging infrastructure has been updated to reduce memory pressure\n in high-connection environments.\n\n## stable-2.10.0\n\nThis release introduces Linkerd extensions. The default control plane no longer\nincludes Prometheus, Grafana, the dashboard, or several other components that\npreviously shipped by default. This results in a much smaller and simpler set\nof core functionalities. Visibility and metrics functionality is now available\nin the Viz extension under the `linkerd viz` command. Cross-cluster\ncommunication functionality is now available in the Multicluster extension\nunder the `linkerd multicluster` command. Distributed tracing functionality is\nnow available in the Jaeger extension under the `linkerd jaeger` command.\n\nThis release also introduces the ability to mark certain ports as \"opaque\",\nindicating that the proxy should treat the traffic as opaque TCP instead of\nattempting protocol detection. This allows the proxy to provide TCP metrics\nand mTLS for server-speaks-first protocols. It also enables support for\nTCP traffic in the Multicluster extension.\n\n**Upgrade notes**: Please see the [upgrade\ninstructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2100).\n\n* Proxy\n * Updated the proxy to use TLS version 1.3; support for TLS 1.2 remains\n enabled for compatibility with prior proxy versions\n * Improved support for server-speaks-first protocols by allowing ports to be\n marked as opaque, causing the proxy to skip protocol detection. Ports can\n be marked as opaque by setting the `config.linkerd.io/opaque-ports`\n annotation on the Pod and Service or by using the `--opaque-ports` flag with\n `linkerd inject`\n * Ports `25,443,587,3306,5432,11211` have been removed from the default skip\n ports; all traffic through those ports is now proxied and handled opaquely\n by default\n * Fixed an issue that could cause proxies in \"ingress mode\"\n (`linkerd.io/inject: ingress`) to use an excessive amount of memory\n * Improved diagnostic logging around \"fail fast\" and \"max-concurrency\n exhausted\" error messages\n * Added a new `/shutdown` admin endpoint that may only be accessed over the\n loopback network allowing batch jobs to gracefully terminate the proxy on\n completion\n\n* Control Plane\n * Removed all components and functionality related to visibility, tracing,\n or multicluster. These have been moved into extensions\n * Changed the identity controller to receive the trust anchor via environment\n variable instead of by flag; this allows the certificate to be loaded from a\n config map or secret (thanks @mgoltzsche!)\n * Added PodDisruptionBudgets to the control plane components so that they\n cannot be all terminated at the same time during disruptions\n (thanks @tustvold!)\n\n* CLI\n * Changed the `check` command to include each installed extension's `check`\n output; this allows users to check for proper configuration and installation\n of Linkerd without running a command for each extension\n * Moved the `metrics`, `endpoints`, and `install-sp` commands into subcommands\n under the `diagnostics` command\n * Added an `--opaque-ports` flag to `linkerd inject` to easily mark ports\n as opaque.\n * Added the `repair` command which will repopulate resources needed for\n properly upgrading a Linkerd installation\n * Added Helm-style `set`, `set-string`, `values`, `set-files` customization\n flags for the `linkerd install` and `linkerd upgrade` commands\n * Introduced the `linkerd identity` command, used to fetch the TLS certificates\n for injected pods (thanks @jimil749)\n * Removed the `get` and `logs` command from the CLI\n\n* Helm\n * Changed many Helm values, please see the upgrade notes\n\n* Viz\n * Introduced the `linkerd viz` subcommand which contains commands for\n installing the viz extension and all visibility commands\n * Updated the Web UI to only display the \"Gateway\" sidebar link when the\n multicluster extension is active\n * Added a `linkerd viz list` command to list pods with tap enabled\n * Fixed an issue where the `tap` APIServer would not refresh its certs\n automatically when provided externally—like through cert-manager\n\n* Multicluster\n * Introduced the `linkerd multicluster` subcommand which contains commands for\n installing the multicluster extension and all multicluster commands\n * Added support for cross-cluster TCP traffic\n * Updated the service mirror controller to copy the\n `config.linkerd.io/opaque-ports` annotation when mirroring services so that\n cross-cluster traffic can be correctly handled as opaque\n * Added support for multicluster gateways of types other than LoadBalancer\n (thanks @DaspawnW!)\n\n* Jaeger\n * Introduced the `linkerd jaeger` subcommand which contains commands for\n installing the jaeger extension and all tracing commands\n * Added a `linkerd jaeger list` command to list pods with tracing enabled\n\nThis release includes changes from a massive list of contributors. A special\nthank-you to everyone who helped make this release possible:\n[Lutz Behnke](https://github.com/cypherfox)\n[Björn Wenzel](https://github.com/DaspawnW)\n[Filip Petkovski](https://github.com/fpetkovski)\n[Simon Weald](https://github.com/glitchcrab)\n[GMarkfjard](https://github.com/GMarkfjard)\n[hodbn](https://github.com/hodbn)\n[Hu Shuai](https://github.com/hs0210)\n[Jimil Desai](https://github.com/jimil749)\n[jiraguha](https://github.com/jiraguha)\n[Joakim Roubert](https://github.com/joakimr-axis)\n[Josh Soref](https://github.com/jsoref)\n[Kelly Campbell](https://github.com/kellycampbell)\n[Matei David](https://github.com/mateiidavid)\n[Mayank Shah](https://github.com/mayankshah1607)\n[Max Goltzsche](https://github.com/mgoltzsche)\n[Mitch Hulscher](https://github.com/mhulscher)\n[Eugene Formanenko](https://github.com/mo4islona)\n[Nathan J Mehl](https://github.com/n-oden)\n[Nicolas Lamirault](https://github.com/nlamirault)\n[Oleh Ozimok](https://github.com/oleh-ozimok)\n[Piyush Singariya](https://github.com/piyushsingariya)\n[Naga Venkata Pradeep Namburi](https://github.com/pradeepnnv)\n[rish-onesignal](https://github.com/rish-onesignal)\n[Shai Katz](https://github.com/shaikatz)\n[Takumi Sue](https://github.com/tkms0106)\n[Raphael Taylor-Davies](https://github.com/tustvold)\n[Yashvardhan Kukreja](https://github.com/yashvardhan-kukreja)\n\n## edge-21.3.2\n\nThis edge release is another release candidate for stable 2.10 and fixes some\nfinal bugs found in testing. A big thank you to users who have helped us\nidentity these issues!\n\n* Fixed an issue with the service profile validating webhook that prevented\n service profiles from being added or updated\n* Updated the `check` command output hint anchors to match Linkerd component\n names\n* Fixed a permission issue with the Viz extension's tap admin cluster role by\n adding namespace listing to the allowed actions\n* Fixed an issue with the proxy where connections would not be torn down when\n communicating with a defunct endpoint\n* Improved diagnostic logging in the proxy\n* Fixed an issue with the Viz extension's Prometheus template that prevented\n users from specifying a log level flag for that component (thanks @n-oden!)\n* Fixed a template parsing issue that prevented users from specifying additional\n ignored inbound parts through Helm's `--set` flag\n* Fixed an issue with the proxy where non-HTTP streams could sometimes hang due\n to TLS buffering\n\n## edge-21.3.1\n\nThis edge release is another release candidate, bringing us closer to\n`stable-2.10.0`! It fixes the Helm install/upgrade procedure and ships some new\nCLI commands, among other improvements.\n\n* Fixed Helm install/upgrade, which was failing when not explicitly setting\n `proxy.image.version`\n* Added a warning in the dashboard when viewing tap streams from resources that\n don't have tap enabled\n* Added the command `linkerd viz list` to list meshed pods and indicate which can\n be tapped, which need to be restarted before they can be tapped, and which\n have tap disabled\n* Similarly, added the command `linkerd jaeger list` to list meshed pods and\n indicate which will participate in tracing\n* Added the `--opaque-ports` flag to `linkerd inject` to specify the list of\n opaque ports when injecting pods (and services)\n* Simplified the output of `linkerd jaeger check`, combining the checks for the\n status of each component into a single check\n* Changed the destination component to receive the list of default opaque ports\n set during install so that it's properly reflected during discovery\n* Moved the level of the proxy server's I/O-related \"Connection closed\" messages\n from info to debug, which were not providing actionable information\n\n## edge-21.2.4\n\nThis edge is a release candidate for `stable-2.10.0`! It wraps up the functional\nchanges planned for the upcoming stable release. We hope you can help us test\nthis in your staging clusters so that we can address anything unexpected before\nan official stable.\n\nThis release introduces support for CLI extensions. The Linkerd `check` command\nwill now invoke each extension's `check` command so that users can check the\nhealth of their Linkerd installation and extensions with one command. Additional\ndocumentation will follow for developers interested in creating extensions.\n\nAdditionally, there is no longer a default list of ports skipped by the proxy.\nThese ports have been moved to opaque ports, meaning protocols like MySQL will\nbe encrypted by default and without user input.\n\n* Cleaned up entries in `values.yaml` by removing `do not edit` entries; they\n are now hardcoded in the templates\n* Added the count of service profiles installed in a cluster to the Heartbeat\n metrics\n* Fixed CLI commands which would unnecessarily print usage instructions after\n encountering API errors (thanks @piyushsingariya!)\n* Fixed the `install` command so that it errors after detecting there is an\n existing Linkerd installation in the cluster\n* Changed the identity controller to receive the trust anchor via environment\n variable instead of by flag; this allows the certificate to be loaded from a\n config map or secret (thanks @mgoltzsche!)\n* Updated the proxy to use TLS version 1.3; support for TLS 1.2 remains enabled\n for compatibility with prior proxy versions\n* The opaque ports annotation is now supported on services and enables users to\n use this annotation on mirrored services in multicluster installations\n* Reverted the renaming of the `mirror.linkerd.io` label\n* Ports `25,443,587,3306,5432,11211` have been removed from the default skip\n ports; all traffic through those ports is now proxied and handled opaquely by\n default\n* Errors configuring the firewall in CNI are propagated so that they can be\n handled by the user\n* Removed Viz extension warnings from the `check --proxy` command when tap is\n not configured for pods; this is now handled by the `viz tap` command\n* Added support for CLI extensions as well as ensuring their `check` commands\n are invoked by Linkerd's `check` command\n* Moved the `metrics`, `endpoints`, and `install-sp` commands into subcommands\n under the `diagnostics` command.\n* Removed the `linkerd-` prefix from non-cluster scoped resources in the Viz and\n Jaeger extensions\n* Added the linkerd-await helper to all Linkerd containers so that the proxy can\n initialize before the components start making outbound connections\n* Removed the `tcp_connection_duration_ms` histogram from the metrics export to\n fix high cardinality issues that surfaced through high memory usage\n\n## edge-21.2.3\n\nThis release wraps up most of the functional changes planned for the upcoming\n`stable-2.10.0` release. Try this edge release in your staging cluster and\nlet us know if you see anything unexpected!\n\n* **Breaking change**: Changed the multicluster `Service`-export annotation\n from `mirror.linkerd.io/exported` to `multicluster.linkerd.io/export`\n* Updated the proxy-injector to to set the `config.linkerd.io/opaque-ports`\n annotation on newly-created `Service` objects when the annotation is set on\n its parent `Namespace`\n* Updated the proxy-injector to ignore pods that have disabled\n `automountServiceAccountToken` (thanks @jimil749)\n* Updated the proxy to log warnings when control plane components are\n unresolveable\n* Updated the Destination controller to cache node topology metadata (thanks\n @fpetkovski)\n* Updated the CLI to handle API errors without printing the CLI usage (thanks\n @piyushsingariya)\n* Updated the Web UI to only display the \"Gateway\" sidebar link when the\n multicluster extension is active\n* Fixed the Web UI on Chrome v88 (thanks @kellycampbell)\n* Improved `install` and `uninstall` behavior for extensions to prevent\n control-plane components from being left in a broken state\n* Docker images are now hosted on the `cr.l5d.io` registry\n* Updated base docker images to buster-20210208-slim\n* Updated the Go version to 1.14.15\n* Updated the proxy to prevent outbound connections to localhost to protect\n against traffic loops\n\n## edge-21.2.2\n\nThis edge release introduces support for multicluster TCP!\n\nThe `repair` command was added which will repopulate resources needed for\nupgrading from a `2.9.x` installation. There will be an error message during the\nupgrade process indicating that this command should be run so that users do not\nneed to guess.\n\nLastly, it contains a breaking change for Helm users. The `global` field has\nbeen removed from the Helm chart now that it is no longer needed. Users will\nneed to pass in the identity certificates again—along with any other\ncustomizations, no longer rooted at `global`.\n\n* **Breaking change**: Removed the `Global` field from the Linkerd Helm chart\n now that it is unused because of the extension model\n* Added the `repair` command which will repopulate resources needed for properly\n upgrading a Linkerd installation\n* Fixed the spelling of the `sidecarContainers` key in the Viz extension Helm\n chart to match that of the template (thanks @n-oden!)\n* Added the `tapInjector.logLevel` key to the Viz extension helm chart so that\n the log level of the component can be configured\n* Removed the `--disable-tap` flag from the `inject` command now that tap is no\n longer part of the core installation (thanks @mayankshah1607!)\n* Changed proxy configuration to use fully-qualified DNS names to avoid extra\n search paths in DNS resolutions\n* Changed the `check` command to include each installed extension's `check`\n output; this allows users to check for proper configuration and installation\n of Linkerd without running a command for each extension\n* Added proxy support for TCP traffic to the multicluster gateways\n\n## edge-21.2.1\n\nThis edge release continues improving the proxy's diagnostics and also avoids\ntiming out when the HTTP protocol detection fails. Additionally, old resource\nversions were upgraded to avoid warnings in k8s v1.19. Finally, it comes with\nlots of CLI improvements detailed below.\n\n* Improved the proxy's diagnostic metrics to help us get better insights into\n services that are in fail-fast\n* Improved the proxy's HTTP protocol detection to prevent timeout errors\n* Upgraded CRD and webhook config resources to get rid of warnings in k8s v1.19\n (thanks @mateiidavid!)\n* Added viz components into the Linkerd Health Grafana charts\n* Had the tap injector add a `viz.linkerd.io/tap-enabled` annotation when\n injecting a pod, which allowed providing clearer feedback for the `linkerd\n tap` command\n* Had the jaeger injector add a `jaeger.linkerd.io/tracing-enabled` annotation\n when injecting a pod, which also allowed providing better feedback for the\n `linkerd jaeger check` command\n* Improved the `linkerd uninstall` command so it fails gracefully when there\n still are injected resources in the cluster (a `--force` flag was provided\n too)\n* Moved the `linkerd profile --tap` functionality into a new command `linkerd\n viz profile --tap`, given tap now belongs to the viz extension\n* Expanded the `linkerd viz check` command to include data-plane checks\n* Cleaned-up YAML in templates that was incompatible with SOPS (thanks\n @tkms0106!)\n\n## edge-21.1.4\n\nThis edge release continues to polish the Linkerd extension model and improves\nthe robustness of the opaque transport.\n\n* Improved the consistency of behavior of the `check` commands between\n Linkerd extensions\n* Fixed an issue where Linkerd extension commands could be run before the\n extension was fully installed\n* Renamed some extension Helm charts for consistency:\n * jaeger -> linkerd-jaeger\n * linkerd2-multicluster -> linkerd-multicluster\n * linkerd2-multicluster-link -> linkerd-multicluster-link\n* Fixed an issue that could cause the inbound proxy to fail meshed HTTP/1\n requests from older proxies (from the stable-2.8.x vintage)\n* Changed opaque-port transport to be advertised via ALPN so that new proxies\n will not initiate opaque-transport connections to proxies from prior edge\n releases\n* Added inbound proxy transport metrics with `tls=\"passthru\"` when forwarding\n non-mesh TLS connections\n* Thanks to @hs0210 for adding new unit tests!\n\n## edge-21.1.3\n\nThis edge release improves proxy diagnostics and recovery in situations where\nthe proxy is temporarily unable to route requests. Additionally, the `viz` and\n`multicluster` CLI sub-commands have been updated for consistency.\n\nFull release notes:\n\n* Added Helm-style `set`, `set-string`, `values`, `set-files` customization\n flags for the `linkerd install` and `linkerd multicluster install` commands\n* Fixed an issue where `linkerd metrics` could return metrics for the incorrect\n set of pods when there are overlapping label selectors\n* Added tap-injector to linkerd-viz which is responsible for adding the tap\n service name environment variable to the Linkerd proxy container\n* Improved diagnostics when the proxy is temporarily unable to route requests\n* Made proxy recovery for a service more robust when the proxy is unable to\n route requests, even when new requests are being received\n* Added `client` and `server` prefixes in the proxy logs for socket-level errors\n to indicate which side of the proxy encountered the error\n* Improved jaeger-injector reliability in environments with many resources by\n adding watch RBAC permissions\n* Added check to confirm whether the jaeger-injector pod is in running state\n (thanks @yashvardhan-kukreja!)\n* Fixed a crash in the destination controller when EndpointSlices are enabled\n (thanks @oleh-ozimok!)\n* Added a `linkerd viz check` sub-command to verify the states of the\n `linkerd-viz` components\n* Added a `log-format` flag to optionally output the control plane component log\n output as JSON (thanks @mo4islona!)\n* Updated the logic in the `metrics` and `profile` subcommands to use the\n `namespace` specified by the `current-context` of the KUBECONFIG so that it is\n no longer necessary to use the `--namespace` flag to query resources in the\n current namespace. Queries for resources in namespaces other than the\n current namespace still require the `--namespace` flag\n* Added new pod 'linkerd-metrics-api' set up by `linkerd viz install` that\n manages all functionality dependent on Prometheus, thus removing most of the\n dependencies on Prometheus from the linkerd core installation\n* Removed need to have linkerd-viz installed for the\n `linkerd multicluster check` command to properly work.\n\n## edge-21.1.2\n\nThis edge release continues the work on decoupling non-core Linkerd components.\nCommands that use the viz extension i.e, `dashboard`, `edges`, `routes`,\n`stat`, `tap` and `top` are moved to the `viz` sub-command. These commands are still\navailable under root but are marked as deprecated and will be removed in a\nlater stable release.\n\nThis release also upgrades the proxy's dependencies to the Tokio v1 ecosystem.\n\n* Moved sub-commands that use the viz extension under `viz`\n* Started ignoring pods with `Succeeded` status when watching IP addresses\n in destination. This allows the re-use of IPs of terminated pods\n* Support Bring your own Jaeger use-case by adding `collector.jaegerAddr` in\n the Jaeger extension.\n* Fixed an issue with the generation of working manifests in the\n `podAntiAffinity` use-case\n* Added support for the modification of proxy resources in the viz\n extension through `values.yaml` in Helm and flags in CLI.\n* Improved error reporting for port-forward logic with namespace\n and pod data, used across dashboard, checks, etc\n (thanks @piyushsingariya)\n* Added support to disable the rendering of `linkerd-viz` namespace\n resource in the viz extension (thanks @nlamirault)\n* Made service-profile generation work offline with `--ignore-cluster`\n flag (thanks @piyushsingariya)\n* Upgraded the proxy's dependencies to the Tokio v1 ecosystem\n\n## edge-21.1.1\n\nThis edge release introduces a new \"opaque transport\" feature that allows the\nproxy to securely transport server-speaks-first and otherwise opaque TCP\ntraffic. Using the `config.linkerd.io/opaque-ports` annotation on pods and\nnamespaces, users can configure ports that should skip the proxy's protocol\ndetection.\n\nAdditionally, a new `linkerd-viz` extension has been introduced that separates\nthe installation of the Grafana, Prometheus, web, and tap components. This\nextension closely follows the Jaeger and multicluster extensions; users can\n`install` and `uninstall` with the `linkerd viz ..` command as well as configure\nfor HA with the `--ha` flag.\n\nThe `linkerd viz install` command does not have any cli flags to customize the\ninstall directly, but instead follows the Helm way of customization by using\nflags such as `set`, `set-string`, `values`, `set-files`.\n\nFinally, a new `/shutdown` admin endpoint that may only be accessed over the\nloopback network has been added. This allows batch jobs to gracefully terminate\nthe proxy on completion. The `linkerd-await` utility can be used to automate\nthis.\n\n* Added a new `linkerd multicluster check` command to validate that the\n `linkerd-multicluster` extension is working correctly\n* Fixed description in the `linkerd edges` command (thanks @jsoref!)\n* Moved the Grafana, Prometheus, web, and tap components into a new Viz chart,\n following the same extension model that multicluster and Jaeger follow\n* Introduced a new \"opaque transport\" feature that allows the proxy to securely\n transport server-speaks-first and otherwise opaque TCP traffic\n* Removed the check comparing the `ca.crt` field in the identity issuer secret\n and the trust anchors in the Linkerd config; these values being different is\n not a failure case for the `linkerd check` command (thanks @cypherfox!)\n* Removed the Prometheus check from the `linkerd check` command since it now\n depends on a component that is installed with the Viz extension\n* Fixed error messages thrown by the cert checks in `linkerd check` (thanks\n @pradeepnnv!)\n* Added PodDisruptionBudgets to the control plane components so that they cannot\n be all terminated at the same time during disruptions (thanks @tustvold!)\n* Fixed an issue that displayed the wrong `linkerd.io/proxy-version` when it is\n overridden by annotations (thanks @mateiidavid!)\n* Added support for custom registries in the `linkerd-viz` helm chart (thanks\n @jimil749!)\n* Renamed `proxy-mutator` to `jaeger-injector` in the `linkerd-jaeger` extension\n* Added a new `/shutdown` admin endpoint that may only be accessed over the\n loopback network allowing batch jobs to gracefully terminate the proxy on\n completion\n* Introduced the `linkerd identity` command, used to fetch the TLS certificates\n for injected pods (thanks @jimil749)\n* Fixed an issue with the CNI plugin where it was incorrectly terminating and\n emitting error events (thanks @mhulscher!)\n* Re-added support for non-LoadBalancer service types in the\n `linkerd-multicluster` extension\n\n## edge-20.12.4\n\nThis edge release adds support for the `config.linkerd.io/opaque-ports`\nannotation on pods and namespaces, to configure ports that should skip the\nproxy's protocol detection. In addition, it adds new CLI commands related to the\n`linkerd-jaeger` extension, fixes bugs in the CLI `install` and `upgrade`\ncommands and Helm charts, and fixes a potential false positive in the proxy's\nHTTP protocol detection. Finally, it includes improvements in proxy performance\nand memory usage, including an upgrade for the proxy's dependency on the Tokio\nasync runtime.\n\n* Added support for the `config.linkerd.io/opaque-ports` annotation on pods and\n namespaces, to indicate to the proxy that some ports should skip protocol\n detection\n* Fixed an issue where `linkerd install --ha` failed to honor flags\n* Fixed an issue where `linkerd upgrade --ha` can override existing configs\n* Added missing label to the `linkerd-config-overrides` secret to avoid breaking\n upgrades performed with the help of `kubectl apply --prune`\n* Added a missing icon to Jaeger Helm chart\n* Added new `linkerd jaeger check` CLI command to validate that the\n `linkerd-jaeger` extension is working correctly\n* Added new `linkerd jaeger uninstall` CLI command to print the `linkerd-jaeger`\n extension's resources so that they can be piped into `kubectl delete`\n* Fixed an issue where the `linkerd-cni` daemonset may not be installed on all\n intended nodes, due to missing tolerations to the `linkerd-cni` Helm chart\n (thanks @rish-onesignal!)\n* Fixed an issue where the `tap` APIServer would not refresh its certs\n automatically when provided externally—like through cert-manager\n* Changed the proxy's cache eviction strategy to reduce memory consumption,\n especially for busy HTTP/1.1 clients\n* Fixed an issue in the proxy's HTTP protocol detection which could cause false\n positives for non-HTTP traffic\n* Increased the proxy's default dispatch timeout to 5 seconds to accommodate\n connection pools which might open connections without immediately making a\n request\n* Updated the proxy's Tokio dependency to v0.3\n\n## edge-20.12.3\n\nThis edge release is functionally the same as `edge-20.12.2`. It fixes an issue\nthat prevented the release build from occurring.\n\n## edge-20.12.2\n\n* Fixed an issue where the `proxy-injector` and `sp-validator` did not refresh\n their certs automatically when provided externally—like through cert-manager\n* Added support for overrides flags to the `jaeger install` command to allow\n setting Helm values when installing the Linkerd-jaeger extension\n* Added missing Helm values to the multicluster chart (thanks @DaspawnW!)\n* Moved tracing functionality to the `linkerd-jaeger` extension\n* Fixed various issues in developer shell scripts (thanks @joakimr-axis!)\n* Fixed an issue where `install --ha` was only partially applying the high\n availability config\n* Updated RBAC API versions in the CNI chart (thanks @glitchcrab!)\n* Fixed an issue where TLS credentials are changed during upgrades, but the\n Linkerd webhooks would not restart, leaving them to use older credentials and\n fail requests\n* Stopped publishing the multicluster link chart as its primary use case is in\n the `multicluster link` command and not being installed through Helm\n* Added service mirror error logs for when the multicluster gateway's hostname\n cannot be resolved.\n\n## edge-20.12.1\n\nThis edge release continues the work of decoupling non-core Linkerd components\nby moving more tracing related functionality into the Linkerd-jaeger extension.\n\n* Continued work on moving tracing functionality from the main control plane\n into the `linkerd-jaeger` extension\n* Fixed a potential panic in the proxy when looking up a socket's peer address\n while under high load\n* Added automatic readme generation for charts (thanks @GMarkfjard!)\n* Fixed zsh completion for the CLI (thanks @jiraguha!)\n* Added support for multicluster gateways of types other than LoadBalancer\n (thanks @DaspawnW!)\n\n## edge-20.11.5\n\nThis edge release improves the proxy's support high-traffic workloads. It also\ncontains the first steps towards decoupling non-core Linkerd components, the\nfirst iteration being a new `linkerd jaeger` sub-command for installing tracing.\nPlease note this is still a work in progress.\n\n* Addressed some issues reported around clients seeing max-concurrency errors by\n increasing the default in-flight request limit to 100K pending requests\n* Have the proxy appropriately set `content-type` when synthesizing gRPC error\n responses\n* Bumped the `proxy-init` image to `v1.3.8` which is based off of\n `buster-20201117-slim` to reduce potential security vulnerabilities\n* No longer panic in rare cases when `linkerd-config` doesn't have an entry for\n `Global` configs (thanks @hodbn!)\n* Work in progress: the `/jaeger` directory now contains the charts and commands\n for installing the tracing component.\n\n## edge-20.11.4\n\n* Fixed an issue in the destination service where endpoints always included a\n protocol hint, regardless of the controller label being present or not\n\n## edge-20.11.3\n\nThis edge release improves support for CNI by properly handling parameters\npassed to the `nsenter` command, relaxes checks on root and intermediate\ncertificates (following X509 best practices), and fixes two issues: one that\nprevented installation of the control plane into a custom namespace and one\nwhich failed to update endpoint information when a headless service is modified.\nThis release also improves linkerd proxy performance by eliminating unnecessary\nendpoint resolutions for TCP traffic and properly tearing down serverside\nconnections when errors occur.\n\n* Added HTTP/2 keepalive PING frames\n* Removed logic to avoid redundant TCP endpoint resolution\n* Fixed an issue where serverside connections were not torn down when an error\n occurs\n* Updated `linkerd check` so that it doesn't attempt to validate the subject\n alternative name (SAN) on root and intermediate certificates. SANs for leaf\n certificates will continue to be validated\n* Fixed a CLI issue where the `linkerd-namespace` flag is not honored when\n passed to the `install` and `upgrade` commands\n* Fixed an issue where the proxy does not receive updated endpoint information\n when a headless service is modified\n* Updated the control plane Docker images to use `buster-20201117-slim` to\n reduce potential security vulnerabilities\n* Updated the proxy-init container to `v1.3.7` which fixes CNI issues in certain\n environments by properly parsing `nsenter` args\n\n## edge-20.11.2\n\nThis edge release reduces memory consumption of Linkerd proxies which maintain\nmany idle connections (such as Prometheus). It also removes some obsolete\ncommands from the CLI and allows setting custom annotations on multicluster\ngateways.\n\n* Reduced the default idle connection timeout to 5s for outbound clients and\n 20s for inbound clients to reduce the proxy's memory footprint, especially on\n Prometheus instances\n* Added support for setting annotations on the multicluster gateway in Helm\n which allows setting the load balancer as internal (thanks @shaikatz!)\n* Removed the `get` and `logs` command from the CLI\n\n## stable-2.9.0\n\nThis release extends Linkerd's zero-config mutual TLS (mTLS) support to all TCP\nconnections, allowing Linkerd to transparently encrypt and authenticate all TCP\nconnections in the cluster the moment it's installed. It also adds ARM support,\nintroduces a new multi-core proxy runtime for higher throughput, adds support\nfor Kubernetes service topologies, and lots, lots more, as described below:\n\n* Proxy\n * Performed internal improvements for lower latencies under high concurrency\n * Reduced performance impact of logging, especially when the `debug` or\n `trace` log levels are disabled\n * Improved error handling for DNS errors encountered when discovering control\n plane addresses; this can be common during installation before all\n components have been started, allowing linkerd to continue to operate\n normally in HA during node outages\n\n* Control Plane\n * Added support for [topology-aware service\n routing](https://kubernetes.io/docs/concepts/services-networking/service-topology/)\n to the Destination controller; when providing service discovery updates to\n proxies the Destination controller will now filter endpoints based on the\n service's topology preferences\n * Added support for the new Kubernetes\n [EndpointSlice](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/)\n resource to the Destination controller; Linkerd can be installed with\n `--enable-endpoint-slices` flag to use this resource rather than the\n Endpoints API in clusters where this new API is supported\n\n* Dashboard\n * Added new Spanish translations (please help us translate into your\n language!)\n * Added new section for exposing multicluster gateway metrics\n\n* CLI\n * Renamed the `--addon-config` flag to `--config` to clarify this flag can be\n used to set any Helm value\n * Added fish shell completions to the `linkerd` command\n\n* Multicluster\n * Replaced the single `service-mirror` controller with separate controllers\n that will be installed per target cluster through `linkerd multicluster\n link`\n * Changed the mechanism for mirroring services: instead of relying on\n annotations on the target services, now the source cluster should specify\n which services from the target cluster should be exported by using a label\n selector\n * Added support for creating multiple service accounts when installing\n multicluster with Helm to allow more granular revocation\n * Added a multicluster `unlink` command for removing multicluster links\n\n* Prometheus\n * Moved Linkerd's bundled Prometheus into an add-on (enabled by default); this\n makes the Linkerd Prometheus more configurable, gives it a separate upgrade\n lifecycle from the rest of the control plane, and allows users to\n disable the bundled Prometheus instance\n * The long-awaited Bring-Your-Own-Prometheus case has been finally addressed:\n added `global.prometheusUrl` to the Helm config to have linkerd use an\n external Prometheus instance instead of the one provided by default\n * Added an option to persist data to a volume instead of memory, so that\n historical metrics are available when Prometheus is restarted\n * The helm chart can now configure persistent storage and limits\n\n* Other\n * Added a new `linkerd.io/inject: ingress` annotation and accompanying\n `--ingress` flag to the `inject` command, to configure the proxy to support\n service profiles and enable per-route metrics and traffic splits for HTTP\n ingress controllers\n * Changed the type of the injector and tap API secrets to `kubernetes.io/tls`\n so they can be provisioned by cert-manager\n * Changed default docker image repository to `ghcr.io` from `gcr.io`; **Users\n who pull the images into private repositories should take note of this\n change**\n * Introduced support for authenticated docker registries\n * Simplified the way that Linkerd stores its configuration; configuration is\n now stored as Helm values in the `linkerd-config` ConfigMap\n * Added support for Helm configuration of per-component proxy resources\n requests\n\nThis release includes changes from a massive list of contributors. A special\nthank-you to everyone who helped make this release possible: [Abereham G\nWodajie](https://github.com/Abrishges), [Alexander\nBerger](https://github.com/alex-berger), [Ali\nAriff](https://github.com/aliariff), [Arthur Silva\nSens](https://github.com/ArthurSens), [Chris\nCampbell](https://github.com/campbel), [Daniel\nLang](https://github.com/mavrick), [David Tyler](https://github.com/DaveTCode),\n[Desmond Ho](https://github.com/DesmondH0), [Dominik\nMünch](https://github.com/muenchdo), [George\nGarces](https://github.com/jgarces21), [Herrmann\nHinz](https://github.com/HerrmannHinz), [Hu Shuai](https://github.com/hs0210),\n[Jeffrey N. Davis](https://github.com/penland365), [Joakim\nRoubert](https://github.com/joakimr-axis), [Josh\nSoref](https://github.com/jsoref), [Lutz Behnke](https://github.com/cypherfox),\n[MaT1g3R](https://github.com/MaT1g3R), [Marcus Vaal](https://github.com/mvaal),\n[Markus](https://github.com/mbettsteller), [Matei\nDavid](https://github.com/mateiidavid), [Matt\nMiller](https://github.com/mmiller1), [Mayank\nShah](https://github.com/mayankshah1607),\n[Naseem](https://github.com/naseemkullah), [Nil](https://github.com/c-n-c),\n[OlivierB](https://github.com/olivierboudet), [Olukayode\nBankole](https://github.com/rbankole), [Paul\nBalogh](https://github.com/javaducky), [Rajat\nJindal](https://github.com/rajatjindal), [Raphael\nTaylor-Davies](https://github.com/tustvold), [Simon\nWeald](https://github.com/glitchcrab), [Steve\nGray](https://github.com/steve-gray), [Suraj\nDeshmukh](https://github.com/surajssd), [Tharun\nRajendran](https://github.com/tharun208), [Wei Lun](https://github.com/WLun001),\n[Zhou Hao](https://github.com/zhouhao3), [ZouYu](https://github.com/Hellcatlk),\n[aimbot31](https://github.com/aimbot31),\n[iohenkies](https://github.com/iohenkies), [memory](https://github.com/memory),\nand [tbsoares](https://github.com/tbsoares)\n\n## edge-20.11.1\n\nThis edge supersedes edge-20.10.6 as a release candidate for stable-2.9.0.\n\n* Fixed issue where the `check` command would error when there is no Prometheus\n configured\n* Fixed recent regression that caused multicluster on EKS to not work properly\n* Changed the `check` command to warn instead of error when webhook certificates\n are near expiry\n* Added the `--ingress` flag to the `inject` command which adds the recently\n introduced `linkerd.io/inject: ingress` annotation\n* Fixed issue with upgrades where external certs would be fetched and stored\n even though this does not happen on fresh installs with externally created\n certs\n* Fixed issue with upgrades where the issuer cert expiration was being reset\n* Removed the `--registry` flag from the `multicluster install` command\n* Removed default CPU limits for the proxy and control plane components in HA\n mode\n\n## edge-20.10.6\n\nThis edge supersedes edge-20.10.5 as a release candidate for stable-2.9.0. It\nadds a new `linkerd.io/inject: ingress` annotation to support service profiles\nand enable per-route metrics and traffic splits for HTTP ingress controllers\n\n* Added a new `linkerd.io/inject: ingress` annotation to configure the\n proxy to support service profiles and enable per-route metrics and traffic\n splits for HTTP ingress controllers\n* Reduced performance impact of logging in the proxy, especially when the\n `debug` or `trace` log levels are disabled\n* Fixed spurious warnings logged by the `linkerd profile` CLI command\n\n## edge-20.10.5\n\nThis edge supersedes edge-20.10.4 as a release candidate for stable-2.9.0. It\nadds a fix for updating the destination service when there are no endpoints\n\n* Added a fix to clear the EndpointTranslator state when it gets a\n `NoEndpoints` message. This ensures that the clients get the correct set of\n endpoints during an update.\n\n## edge-20.10.4\n\nThis edge release is a release candidate for stable-2.9.0. For the proxy, there\nhave been changes to improve performance, remove unused code, and configure\nports that can be ignored by default. Also, this edge release adds enhancements\nto the multicluster configuration and observability, adds more translations to\nthe dashboard, and addresses a bug in the CLI.\n\n* Added more Spanish translations to the dashboard and more labels that can be\n translated\n* Added support for creating multiple service accounts when installing\n multicluster with Helm to allow more granular revocation\n* Renamed `global.proxy.destinationGetNetworks` to `global.clusterNetworks`.\n This is a cluster-wide setting and can no longer be overridden per-pod\n* Fixed an empty multicluster Grafana graph which used a deprecated label\n* Added the control plane tracing ServiceAccounts to the linkerd-psp\n RoleBinding so that it can be used in environments where PodSecurityPolicy\n is enabled\n* Enhanced EKS support by adding `100.64.0.0/10` to the set of discoverable\n networks\n* Fixed a bug in the way that the `--all-namespaces` flag is handled by the\n `linkerd edges` command\n* Added a default set of ports to bypass the proxy for server-first, https,\n and memcached traffic\n\n## edge-20.10.3\n\nThis edge release is a release candidate for stable-2.9.0. It overhauls the\ndiscovery and routing logic implemented by the proxy, simplifies the way that\nLinkerd stores configuration, and adds new Helm values to configure additional\nlabels, annotations, and namespace selectors for webhooks.\n\n* Added podLabels and podAnnotations Helm values to allow adding additional\n labels or annotations to Linkerd control plane pods (thanks @tustvold!)\n* Added namespaceSelector Helm value for configuring the namespace selector\n used by admission webhooks (thanks @tustvold!)\n* Expanded the 'linkerd edges' command to show TCP connections\n* Overhauled the discovery and routing logic implemented by the proxy:\n * The `l5d-dst-override` header is no longer honored\n * When the application attempts to connect to a pod IP, the proxy no\n longer load balances these requests among all pods in the service.\n The proxy will now honor session-stickiness as selected by an\n application-level load balancer\n * `TrafficSplits` are only applied when a client targets a service's IP\n * The proxy no longer performs DNS \"canonicalization\" to translate\n relative host header names to a fully-qualified form\n* Simplified the way that Linkerd stores its configuration. Configuration is\n now stored as Helm values in the linkerd-config ConfigMap\n* Renamed the --addon-config flag to --config to clarify this flag can be used\n to set any Helm value\n\n## edge-20.10.2\n\nThis edge release adds more improvements for mTLS for all TCP traffic.\nIt also includes significant internal improvements to the way Linkerd\nconfiguration is stored within the cluster.\n\n* Changed TCP metrics exported by the proxy to ensure that peer\n identities are encoded via the `client_id` and `server_id` labels.\n* Removed the dependency of control plane components on `linkerd-config`\n* Updated the data structure `proxy-injector` uses to derive the configuration\n used when injecting workloads\n\n## edge-20.10.1\n\nThis edge release includes a couple of external contributions towards\nimproved cert-manager support and Grafana charts fixes, among other\nenhancements.\n\n* Changed the type of the injector and tap API secrets to `kubernetes.io/tls`,\n so they can be provisioned by cert-manager (thanks @cypherfox!)\n* Fixed the \"Kubernetes cluster monitoring\" Grafana dashboard that had a few\n charts with incomplete data (thanks @aimbot31!)\n* Fixed the `service-mirror` multicluster component so that it retries\n connections to the target cluster's Kubernetes API when it's not reachable,\n instead of blocking\n* Increased the proxy's default timeout for DNS resolution to 500ms, as there\n were reports that 100ms was too restrictive\n\n## edge-20.9.4\n\nThis edge release introduces support for authenticated docker registries and\nfixes a recent multicluster regression.\n\n* Fixed a regression in multicluster gateway configurations that would forbid\n inbound gateway traffic\n* Upgraded bundled Grafana to v7.1.5\n* Enabled Jaeger receiver in collector configuration in Helm chart (thanks\n @olivierboudet!)\n* Fixed skip port configuration being skipped in CNI plugin\n* Introduced support for authenticated docker registries (thanks @c-n-c!)\n\n## edge-20.9.3\n\nThis edge release includes fixes and updates for the control plane and CLI.\n\n* Added `--dest-cni-bin-dir` flag to the `linkerd install-cni` command, to\n configure the directory on the host where the CNI binary will be placed\n* Removed `collector.name` and `jaeger.name` config fields from the tracing\n addon\n* Updated Jaeger to 1.19.2\n* Fixed a warning about deprecated Go packages in controller container logs\n\n## edge-20.9.2\n\nThis edge release continues the work of adding support for mTLS for all TCP\ntraffic and changes the default container registry to `ghcr.io` from `gcr.io`.\n\nIf you are upgrading from `stable-2.8.x` with the Linkerd CLI using the\n`linkerd upgrade` command, you must add the `--addon-overwrite` flag to ensure\nthat the grafana image is properly set.\n\n* Removed the default timeout for ServiceProfiles so that ServiceProfile routes\n behave the same as when there is no ServiceProfile definition\n* Changed default docker image repository to ghcr.io from gcr.io. **Users who\n pull the images into private repositories should take note of this change**\n* Added endpoint labels to outbound TCP metrics to provide more context and\n detail for the metrics, add load balancing to TCP connections\n (bypassing kube-proxy), and secure the connection with mTLS when both\n endpoints are meshed\n* Made unnamed ServiceProfile discovery configurable using the\n `proxy.destinationGetNetworks` variable to set the\n `LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS` variable in the proxy chart\n template\n* Added TLS certificate validation for the Injector, SP Validator, and Tap\n webhooks to the `linkerd check` command\n\n## edge-20.9.1\n\nThis edge release contains an important proxy update that allows linkerd to\ncontinue to operate normally in HA during node outages. We're also adding full\nKubernetes 1.19 support!\n\n* Improved the proxy's error handling for DNS errors encountered when\n discovering control plane addresses, which can be common during installation,\n before all components have been started\n* The destination and identity services had to be made headless in order to\n support that new controller discovery (which now can leverage SRV records)\n* Use SAN fields when generating the linkerd webhook configs; this completes the\n Kubernetes 1.19 support which enforces them\n* Fixed `linkerd check` for multicluster that was spuriously claiming the\n absence of some resources\n* Improved the injection test cleanup (thanks @zhouhao3!)\n* Added ability to run the integration test suite using a cluster in an ARM\n architecture (thanks @aliariff!)\n\n## edge-20.8.4\n\n* Fixed a problem causing the `enable-endpoint-slices` flag to not be persisted\n when set via `linkerd upgrade` (thanks @Matei207!)\n* Removed SMI-Metrics templates and experimental sub-commands\n* Use `--frozen-lockfile` to avoid accidental update of dashboard JS\n dependencies in CI (thanks @tharun208!)\n\n## edge-20.8.3\n\nThis edge release adds support for [topology-aware service routing][topology] to\nthe Destination controller. When providing service discovery updates to proxies,\nthe Destination controller will now filter endpoints based on the service's\ntopology preferences. Additionally, this release includes bug fixes for the\n`linkerd check` CLI command and web dashboard.\n\n* CLI\n * `linkerd check` will no longer warn about a looser webhook failure policy in\n HA mode\n* Controller\n * Added support for [topology-aware service routing][topology] to the Destination\n controller (thanks @Matei207)\n * Changed the Destination controller to always return destination overrides\n for service profiles when no traffic split is present\n* Web UI\n * Fixed Tap `Authority` dropdown not being populated (thanks to @tharun208!)\n\n[topology]: https://kubernetes.io/docs/concepts/services-networking/service-topology/\n\n## edge-20.8.2\n\nThis edge release adds an internationalization framework to the dashboard,\nSpanish translations to the dashboard UI, and a `linkerd multicluster uninstall`\ncommand for graceful removal of the multicluster components.\n\n* Web UI\n * Added Spanish translations to the dashboard\n * Added a framework and documentation to simplify creation of new\n translations\n* Multicluster\n * Added a multicluster uninstall command\n * Added a warning from `linkerd check --multicluster` if the multicluster\n support is not installed\n\n## edge-20.8.1\n\nThis edge adds multi-arch support to Linkerd! Our docker images and CLI now\nsupport the amd64, arm64, and arm architectures.\n\n* Multicluster\n * Added a multicluster unlink command for removing multicluster links\n * Improved multicluster checks to be more informative when the remote API is\n not reachable\n* Proxy\n * Enabled a multi-threaded runtime to substantially improve latency especially\n when the proxy is serving requests for many concurrent connections\n* Other\n * Fixed an issue where the debug sidecar image was missing during upgrades\n (thanks @javaducky!)\n * Updated all control plane plane and proxy container images to be multi-arch\n to support amd64, arm64, and arm (thanks @aliariff!)\n * Fixed an issue where check was failing when DisableHeartBeat was set to true\n (thanks @mvaal!)\n\n## edge-20.7.5\n\nThis edge brings a new approach to multicluster service mirror controllers and\nthe way services in target clusters are selected for mirroring.\n\nThe long-awaited Bring-Your-Own-Prometheus case has been finally addressed.\n\nMany other improvements from our great contributors are described below. Also\nnote progress is still being made under the covers for future support for Service\nTopologies (by @Matei207) and delivering image builds in multiple platforms (by\n@aliariff).\n\n* Multicluster\n * Replaced the single `service-mirror` controller, with separate controllers\n that will be installed per target cluster through `linkerd multicluster\n link`. More info [here](https://github.com/linkerd/linkerd2/pull/4710).\n * Changed the mechanism for mirroring services: instead of relying on\n annotations on the target services, now the source cluster should specify\n which services from the target cluster should be exported by using a label\n selector. More info [here](https://github.com/linkerd/linkerd2/pull/4795).\n * Added new section in the dashboard for exposing multicluster gateway metrics\n (thanks @tharun208!)\n* Prometheus\n * Added `global.prometheusUrl` to the Helm config to have linkerd use an\n external Prometheus instance instead of the one provided by default.\n * Added ability to declare sidecar containers in the Prometheus Helm config.\n This allows adding components for cases like exporting logs to services\n such as Cloudwatch, Stackdriver, Datadog, etc. (thanks @memory!)\n * Upgraded Prometheus to the latest version (v2.19.3), which should consume\n substantially less memory, among other benefits.\n* Other\n * Fixed bug in `linkerd check` that was failing to wait for Prometheus to be\n available right after having installed linkerd.\n * Added ability to set `priorityClassName` for CNI DaemonSet pods, and to\n install CNI in an existing namespace (both options provided through the CLI\n and as Helm configs) (thanks @alex-berger!)\n * Added support for overriding the proxy's inbound and outbound TCP connection\n timeouts (thanks @mmiller1!)\n * Added library support for dashboard i18n. Strings still need to be tagged\n and translations to be added. More info\n [here](https://github.com/linkerd/linkerd2/pull/4803).\n * In some Helm charts, replaced the non-standard\n `linkerd.io/helm-release-version` annotation with `checksum/config` for\n forcing restarting the component during upgrades (thanks @naseemkullah!)\n * Upgraded the proxy init-container to v1.3.4, which comes with an updated\n debian-buster distro and will provide cleaner logs listing the iptables\n rules applied.\n\n## edge-20.7.4\n\nThis edge release adds support for the new Kubernetes\n[EndpointSlice](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/)\nresource to the Destination controller. Using the EndpointSlice API is more\nefficient for the Kubernetes control plane than using the Endpoints API. If\nthe cluster supports EndpointSlices (a beta feature in Kubernetes 1.17),\nLinkerd can be installed with `--enable-endpoint-slices` flag to use this\nresource rather than the Endpoints API.\n\n* Added fish shell completions to the `linkerd` command (thanks @WLun001!)\n* Enabled the support for EndpointSlices (thanks @Matei207!)\n* Separated Prometheus checks and made them runnable only when the add-on\n is enabled\n\n## edge-20.7.3\n\n* Add preliminary support for EndpointSlices which will be usable in future\n releases (thanks @Matei207!)\n* Internal improvements to the CI process for testing Helm installations\n\n## edge-20.7.2\n\nThis edge release moves Linkerd's bundled Prometheus into an add-on. This makes\nthe Linkerd Prometheus more configurable, gives it a separate upgrade lifecycle\nfrom the rest of the control plane, and will allow users to disable the bundled\nPrometheus instance. In addition, this release includes fixes for several\nissues, including a regression where the proxy would fail to report OpenCensus\nspans.\n\n* Prometheus is now an optional add-on, enabled by default\n* Custom tolerations can now be specified for control plane resources when\n installing with Helm (thanks @DesmondH0!)\n* Evicted data plane pods are no longer considered to be failed by `linkerd\n check --proxy`, fixing an issue where the check would be retried indefinitely\n as long as evicted pods are present\n* Fixed a regression where proxy spans were not reported to OpenCensus\n* Fixed a bug where the proxy injector would fail to render skipped port lists\n when installed with Helm\n* Internal improvements to the proxy for lower latencies under high concurrency\n* Thanks to @Hellcatlk and @surajssd for adding new unit tests and spelling\n fixes!\n\n## edge-20.7.1\n\nThis edge release features the option to persist prometheus data to a volume\ninstead of memory, so that historical metrics are available when prometheus is\nrestarted. Additional changes are outlined in the bullet points below.\n\n* Some commands like `linkerd stat` would fail if any control plane components\n were unhealthy, even when other replicas are healthy. The check conditions\n for these commands have been improved\n* The helm chart can now configure persistent storage for Prometheus\n (thanks @naseemkullah!)\n* The proxy log output format can now be configured to `plain` or `json` using\n the `config.linkerd.io/proxy-log-format` annotation or the\n `global.proxy.logFormat` value in the helm chart\n (thanks again @naseemkullah!)\n* `linkerd install --addon-config=` now supports URLs in addition to local\n files\n* The CNI Helm chart used the incorrect variable name to determine the `createdBy`\n version tag. This is now controlled by `cniPluginVersion` in the helm chart\n* The proxy's default buffer size has been increased, which reduces latency when\n the proxy has many concurrent clients\n\n## edge-20.6.4\n\nThis edge release moves the proxy onto a new version of the Tokio runtime. This\nallows us to more easily integrate with the ecosystem and may yield performance\nbenefits as well.\n\n* Upgraded the proxy's underlying Tokio runtime and its related libraries\n* Added support for PKCS8 formatted ECDSA private keys\n* Added support for Helm configuration of per-component proxy resources requests\n and limits (thanks @cypherfox!)\n* Updated the `linkerd inject` command to throw an error while injecting\n non-compliant pods (thanks @mayankshah1607)\n\n## stable-2.8.1\n\nThis release fixes multicluster gateways support on EKS.\n\n* The multicluster service-mirror has been extended to resolve DNS names for\n target clusters when an IP address is not known.\n* Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger\n for providing a fix!\n* Have the service mirror controller check in `linkerd check` retry on failures.\n* As of this version we're including a Chocolatey package (Windows) next to the\n other binaries in the release assets in GitHub.\n* Base images have been updated:\n * debian:buster-20200514-slim\n * grafana/grafana:7.0.3\n* The shell scripts under `bin` continued to be improved, thanks to @joakimr-axis!\n\n## edge-20.6.3\n\nThis edge release is a release candidate for stable-2.8.1. It includes a fix\nto support multicluster gateways on EKS.\n\n* The `config.linkerd.io/proxy-destination-get-networks` annotation configures\n the networks for which a proxy can discover metadata. This is an advanced\n configuration option that has security implications.\n* The multicluster service-mirror has been extended to resolve DNS names for\n target clusters when an IP address it not known.\n* Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger\n for providing a fix!\n* The CLI will be published for Chocolatey (Windows) on future stable releases.\n* Base images have been updated:\n * debian:buster-20200514-slim\n * grafana/grafana:7.0.3\n\n## stable-2.8.0\n\nThis release introduces new a multi-cluster extension to Linkerd, allowing it\nto establish connections across Kubernetes clusters that are secure,\ntransparent to the application, and work with any network topology.\n\n* The CLI has a new set of `linkerd multicluster` sub-commands that provide\n tooling to create the resources needed to discover services across\n Kubernetes clusters.\n* The `linkerd multicluster gateways` command exposes gateway-specific\n telemetry to supplement the existing `stat` and `tap` commands.\n* The Linkerd-provided Grafana instance remains enabled by default, but it can\n now be disabled. When it is disabled, the Linkerd dashboard can be\n configured to link to an alternate, externally-managed Grafana instance.\n* Jaeger & OpenCensus are configurable as an [add-on][addon-2.8.0]; and the\n proxy has been improved to emit spans with labels that reflect its pod's\n metadata.\n* The `linkerd-cni` component has been promoted from _experimental_ to\n _stable_.\n* `linkerd profile --open-api` now honors the `x-linkerd-retryable` and\n `x-linkerd-timeout` OpenAPI annotations.\n* The Helm chart continues to become more flexible and modular, with new\n Prometheus configuration options. More information is available in the\n [Helm chart README][helm-2.8.0].\n* gRPC stream error handling has been improved so that transport errors\n are indicated to the client with a `grpc-status: UNAVAILABLE` trailer.\n* The proxy's memory footprint could grow significantly when\n server-speaks-first-protocol connections hit the proxy. Now, a timeout is\n in place to prevent these connections from consuming resources.\n* After benchmarking the proxy in high-concurrency situations, the inbound\n proxy has been improved to reduce contention, improving latency and\n reducing spurious timeouts.\n* The proxy could fail requests to services that had only 1 request every 60\n seconds. This race condition has been eliminated.\n* Finally, users reported that ingress misconfigurations could cause the proxy\n to consume an entire CPU which could lead to timeouts. The proxy now\n attempts to prevent the most common traffic-loop scenarios to protect against\n this.\n\n_**NOTE**_: Linkerd's `multicluster` extension does not yet work on Amazon\nEKS. We expect to follow this release with a stable-2.8.1 to address this\nissue. Follow [#4582](https://github.com/linkerd/linkerd2/pull/4582) for updates.\n\nThis release includes changes from a massive list of contributors. A special\nthank-you to everyone who helped make this release possible: @aliariff,\n@amariampolskiy, @arminbuerkle, @arthursens, @christianhuening,\n@christyjacob4, @cypherfox, @daxmc99, @dr0pdb, @drholmie, @hydeenoble,\n@joakimr-axis, @jpresky, @kohsheen1234, @lewiscowper, @lundbird, @matei207,\n@mayankshah1607, @mmiller1, @naseemkullah, @sannimichaelse, & @supra08.\n\n[addon-2.8.0]: https://github.com/linkerd/linkerd2/blob/4219955bdb5441c5fce192328d3760da13fb7ba1/charts/linkerd2/README.md#add-ons-configuration\n[helm-2.8.0]: https://github.com/linkerd/linkerd2/blob/4219955bdb5441c5fce192328d3760da13fb7ba1/charts/linkerd2/README.md\n\n## edge-20.6.2\n\nThis edge release is our second release candidate for `stable-2.8`, including\nvarious fixes and improvements around multicluster support.\n\n* CLI\n * Fixed bad output in the `linkerd multicluster gateways` command\n * Improved the error returned when running the CLI with no KUBECONFIG path set\n (thanks @Matei207!)\n* Controller\n * Fixed issue where mirror service wasn't created when paired to a gateway\n whose external IP wasn't yet provided\n * Fixed issue where updating the gateway identity annotation wasn't propagated\n back into the mirror gateway endpoints object\n * Fixed issue where updating the gateway ports wasn't reflected in the gateway\n mirror service\n * Increased the log level for some of the service mirror events\n * Changed the nginx gateway config so that it runs as non-root and denies all\n requests to locations other than the probe path\n* Web UI\n * Fixed multicluster Grafana dashboard\n* Internal\n * Added flag in integration tests to dump fixture diffs into a separate\n directory (thanks @cypherfox!)\n\n## edge-20.6.1\n\nThis edge release is a release candidate for `stable-2.8`! It introduces several\nimprovements and fixes for multicluster support.\n\n* CLI\n * Added multicluster daisy chain checks to `linkerd check`\n * Added list of successful gateways in multicluster checks section of `linkerd\n check`\n* Controller\n * Renamed `nginx-configuration` ConfigMap to `linkerd-gateway-config` (please\n manually remove the former if upgrading from an earlier multicluster\n install, thanks @mayankshah1607!)\n * Renamed multicluster gateway ports to `mc-gateway` and `mc-probe`\n * Fixed Service Profiles routes for `linkerd-prometheus`\n* Internal\n * Fixed shellcheck errors in all `bin/` scripts (thanks @joakimr-axis!)\n* Helm\n * Added support for `linkerd mc allow`\n * Added ability to disable secret resources for self-signed certs (thanks\n @cypherfox!)\n* Proxy\n * Modified the `linkerd-gateway` component to use the inbound proxy, rather\n than nginx, for gateway; this allows Linkerd to detect loops and propagate\n identity\n\n## edge-20.5.5\n\nThis edge release adds refinements to the Linkerd multicluster implementation,\nadds new health checks for the tracing add-on, and addresses an issue in which\noutbound requests from the proxy result in looping behavior.\n\n* CLI\n * Added the `multicluster` command along with subcommands to configure and\n deploy Linkerd workloads which enable services to be mirrored across\n clusters\n * Added health-checks for tracing add-on\n* Proxy\n * Added logic to prevent loops in outbound requests\n\n## edge-20.5.4\n\n* CLI\n * Fixed the display of the meshed pod column for non-selector services in\n `linkerd stat` output\n * Added an `addon-overwrite` upgrade flag which allows users to overwrite the\n existing addon config rather than merging into it\n * Added a `--close-wait-timeout` inject flag which sets the\n `nf_conntrack_tcp_timeout_close_wait` property which can be used to mitigate\n connection issues with application that hold half-closed sockets\n* Controller\n * Restricted the service-mirror's RBAC permissions so that it no longer is\n able to read secrets in all namespaces\n * Moved many multicluster components into the `linkerd-multicluster` namespace\n by default\n * Added multicluster gateway mirror services to allow multicluster liveness\n probes to work in private networks\n * Fixed an issue where multicluster gateway mirror services could be\n incorrectly deleted during a resync\n* Internal\n * Fixed many style issues in build scripts (thanks @joakimr-axis!)\n* Helm\n * Added `global.grafanaUrl` variable to allow using an existing Grafana\n installation\n\n## edge-20.5.3\n\n* Controller\n * Added a Grafana dashboard for tracking multi-cluster traffic metrics\n * Added health checks for the Grafana add-on, under a separate section\n * Fixed issues when updating a remote multi-cluster gateway\n\n* Proxy\n * Added special special handling for I/O errors in HTTP responses so that an\n `errno` label is included to describe the underlying errors in the proxy's\n metrics\n\n* Internal\n * Started gathering stats of CI runs for aggregating CI health metrics\n\n## edge-20.5.2\n\nThis edge release contains everything required to get up and running with\nmulticluster. For a tutorial on how to do that, check out the\n[documentation](https://linkerd.io/2/features/multicluster_support/).\n\n* CLI\n * Added a section to the `linkerd check` that validates that all clusters\n part of a multicluster setup have compatible trust anchors\n * Modified the `inkerd cluster export-service` command to work by\n transforming yaml instead of modifying cluster state\n * Added functionality that allows the `linkerd cluster export-service`\n command to operate on lists of services\n* Controller\n * Changed the multicluster gateway to always require TLS on connections\n originating from outside the cluster\n * Removed admin server timeouts from control plane components, thereby\n fixing a bug that can cause liveness checks to fail\n* Helm\n * Moved Grafana templates into a separate add-on chart\n* Proxy\n * Improved latency under high-concurrency use cases.\n\n## edge-20.5.1\n\n* CLI\n * Fixed all commands to use kubeconfig's default namespace if specified\n (thanks @Matei207!)\n * Added multicluster checks to the `linkerd check` command\n * Hid development flags in the `linkerd install` command for release builds\n* Controller\n * Added ability to configure Prometheus Alertmanager as well as recording\n and alerting rules on the Linkerd Prometheus (thanks @naseemkullah!)\n * Added ability to add more commandline flags to the Prometheus command\n (thanks @naseemkullah!)\n* Web UI\n * Fixed TrafficSplit detail page not loading\n * Added Jaeger links to the dashboard when the tracing addon is enabled\n* Proxy\n * Modified internal buffering to avoid idling out services as a request\n arrives, fixing failures for requests that are sent exactly once per\n minute--such as Prometheus scrapes\n\n## edge-20.4.5\n\nThis edge release includes several new CLI commands for use with multi-cluster\ngateways, and adds liveness checks and metrics for gateways. Additionally, it\nmakes the proxy's gRPC error-handling behavior more consistent with other\nimplementations, and includes a fix for a bug in the web UI.\n\n* CLI\n * Added `linkerd cluster setup-remote` command for setting up a\n multi-cluster gateway\n * Added `linkerd cluster gateways` command to display stats for\n multi-cluster gateways\n * Changed `linkerd cluster export-service` to modify a provided YAML file\n and output it, rather than mutating the cluster\n* Controller\n * Added liveness checks and Prometheus metrics for multi-cluster gateways\n * Changed the proxy injector to configure proxies to do destination lookups\n for IPs in the private IP range\n* Web UI\n * Fixed errors when viewing resource detail pages\n* Internal\n * Created script and config to build a Linkerd CLI Chocolatey package for\n Windows users, which will be published with stable releases (thanks to\n @drholmie!)\n* Proxy\n * Changed the proxy to set a `grpc-status: UNAVAILABLE` trailer when a gRPC\n response stream is interrupted by a transport error\n\n## edge-20.4.4\n\nThis edge release fixes a packaging issue in `edge-20.4.3`.\n\n_From `edge.20.4.3` release notes_:\n\nThis edge release adds functionality to the CLI to output more detail and\nincludes changes which support the multi-cluster functionality. Also, the helm\nsupport has been expanded to make installation more configurable. Finally, the\nHA reliability is improved by ensuring that control plane pods are restarted\nwith a rolling strategy\n\n* CLI\n * Added output to the `linkerd check --proxy` command to list all data plane\n pods which are not up-to-date rather than just printing the first one it\n encounters\n * Added a `--proxy` flag to the `linkerd version` command which lists all\n proxy versions running in the cluster and the number of pods running each\n version\n * Lifted requirement of using --unmeshed for linkerd stat when querying\n TrafficSplit resources\n * Added support for multi-stage installs with Add-Ons\n* Controller\n * Added a rolling update strategy to Linkerd deployments that have multiple\n replicas during HA deployments to ensure that at most one pod begins\n terminating before a new pod ready is ready\n * Added a new label for the proxy injector to write to the template,\n `linkerd.io/workload-ns` which indicates the namespace of the workload/pod\n* Internal\n * Added a [security\n policy](https://help.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)\n to facilitate conversations around security\n* Helm\n * Changed charts to use downwardAPI to mount labels to the proxy container\n making them easier to identify\n* Proxy\n * Changed the Linkerd proxy endpoint for liveness to use the new `/live`\n admin endpoint instead of the `/metrics` endpoint, because the `/live`\n endpoint returns a smaller payload\n * Added a per-endpoint authority-override feature to support multi-cluster\n gateways\n\n## edge-20.4.3\n\n**This release is superseded by `edge-20.4.4`**\n\nThis edge release adds functionality to the CLI to output more detail and\nincludes changes which support the multi-cluster functionality. Also, the helm\nsupport has been expanded to make installation more configurable. Finally, the\nHA reliability is improved by ensuring that control plane pods are restarted\nwith a rolling strategy\n\n* CLI\n * Added output to the `linkerd check --proxy` command to list all data plane\n pods which are not up-to-date rather than just printing the first one it\n encounters\n * Added a `--proxy` flag to the `linkerd version` command which lists all\n proxy versions running in the cluster and the number of pods running each\n version\n * Lifted requirement of using --unmeshed for linkerd stat when querying\n TrafficSplit resources\n * Added support for multi-stage installs with Add-Ons\n* Controller\n * Added a rolling update strategy to Linkerd deployments that have multiple\n replicas during HA deployments to ensure that at most one pod begins\n terminating before a new pod ready is ready\n * Added a new label for the proxy injector to write to the template,\n `linkerd.io/workload-ns` which indicates the namespace of the workload/pod\n* Internal\n * Added a [security\n policy](https://help.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)\n to facilitate conversations around security\n* Helm\n * Changed charts to use downwardAPI to mount labels to the proxy container\n making them easier to identify\n* Proxy\n * Changed the Linkerd proxy endpoint for liveness to use the new `/live`\n admin endpoint instead of the `/metrics` endpoint, because the `/live`\n endpoint returns a smaller payload\n * Added a per-endpoint authority-override feature to support multi-cluster\n gateways\n\n## edge-20.4.2\n\nThis release brings a number of CLI fixes and Controller improvements.\n\n* CLI\n * Fixed a bug that caused pods to crash after upgrade if\n `--skip-outbound-ports` or `--skip-inbound-ports` were used\n * Added `unmeshed` flag to the `stat` command, such that unmeshed resources\n are only displayed if the user opts-in\n * Added a `--smi-metrics` flag to `install`, to allow installation of the\n experimental `linkerd-smi-metrics` component\n * Fixed a bug in `linkerd stat`, causing incorrect output formatting when\n using the `--o wide` flag\n * Fixed a bug, causing `linkerd uninstall` to fail when attempting to delete\n PSPs\n* Controller\n * Improved the anti-affinity of `linkerd-smi-metrics` deployment to avoid\n pod scheduling problems during `upgrade`\n * Improved endpoints change detection in the `linkerd-destination` service,\n enabling mirrored remote services to change cluster gateways\n * Added `operationID` field to tap OpenAPI response to prevent issues during\n upgrade from 2.6 to 2.7\n* Proxy\n * Added a new protocol detection timeout to prevent clients from consuming\n resources indefinitely when not sending any data\n\n## edge-20.4.1\n\nThis release introduces some cool new functionalities, all provided by our\nawesome community of contributors! Also two bugs were fixed that were\nintroduced since edge-20.3.2.\n\n* CLI\n * Added `linkerd uninstall` command to uninstall the control plane (thanks\n @Matei207!)\n * Fixed a bug causing `linkerd routes -o wide` to not show the proper actual\n success rate\n* Controller\n * Fail proxy injection if the pod spec has `automountServiceAccountToken`\n disabled (thanks @mayankshah1607!)\n* Web UI\n * Added a route dashboard to Grafana (thanks @lundbird!)\n* Proxy\n * Fixed a bug causing the proxy's inbound to spuriously return 503 timeouts\n\n## edge-20.3.4\n\nThis release introduces several fixes and improvements to the CLI.\n\n* CLI\n * Added support for kubectl-style label selectors in many CLI commands\n (thanks @mayankshah1607!)\n * Fixed the path regex in service profiles generated from proto files\n without a package name (thanks @amariampolskiy!)\n * Fixed an error when injecting Cronjobs that have no metadata\n * Relaxed the clock skew check to match the default node heartbeat interval\n on Kubernetes 1.17 and made this check a warning\n * Fixed a bug where the linkerd-smi-metrics pod could not be created on\n clusters with pod security policy enabled\n* Internal\n * Upgraded tracing components to more recent versions and improved resource\n defaults (thanks @Pothulapati!)\n\n## edge-20.3.3\n\nThis release introduces new experimental CLI commands for querying metrics\nusing the Service Mesh Interface (SMI) and for multi-cluster support via\nservice mirroring.\n\nIf you would like to learn more about service mirroring or SMI, or are\ninterested in experimenting with these features, please join us in [Linkerd\nSlack](https://slack.linkerd.io) for help and feedback.\n\n* CLI\n * Added experimental `linkerd cluster` commands for managing multi-cluster\n service mirroring\n * Added the experimental `linkerd alpha clients` command, which uses the\n smi-metrics API to display client-side metrics from each of a resource's\n clients\n * Added retries to some `linkerd check` checks to prevent spurious failures\n when run immediately after cluster creation or Linkerd installation\n\n## edge-20.3.2\n\nThis release introduces substantial proxy improvements as well as new\nobservability and security functionality.\n\n* CLI\n * Added the `linkerd alpha stat` command, which uses the smi-metrics API;\n the latter enables access to metrics to be controlled with RBAC\n* Controller\n * Added support for configuring service profile timeouts\n `(x-linkerd-timeout)` via OpenAPI spec (thanks @lewiscowper!)\n* Web UI\n * Improved the Grafana dashboards to use a globing operator for Prometheus\n in order to avoid producing queries that are too large (thanks @mmiller1!)\n* Helm\n * Improved the `linkerd2` chart README (thanks @lundbird!)\n* Proxy\n * Fixed a bug that could cause log levels to be processed incorrectly\n\n## edge-20.3.1\n\nThis release introduces new functionality mainly focused around observability\nand multi-cluster support via `service mirroring`.\n\nIf you would like to learn more about `service mirroring` or are interested in\nexperimenting with this feature, please join us in [Linkerd\nSlack](https://slack.linkerd.io) for help and feedback.\n\n* CLI\n * Improved the `linkerd check` command to check for extension server\n certificate (thanks @christyjacob4!)\n* Controller\n * Removed restrictions preventing Linkerd from injecting proxies into\n Contour (thanks @alfatraining!)\n * Added an experimental version of a service mirroring controller, allowing\n discovery of services on remote clusters.\n* Web UI\n * Fixed a bug causing incorrect Grafana links to be rendered in the web\n dashboard.\n* Proxy\n * Fixed a bug that could cause the proxy's load balancer to stop processing\n updates from service discovery.\n\n## edge-20.2.3\n\nThis release introduces the first optional add-on `tracing`, added through the\nnew add-on model!\n\nThe existing optional `tracing` components Jaeger and OpenCensus can now be\ninstalled as add-on components.\n\nThere will be more information to come about the new add-on model, but please\nrefer to the details of [#3955](https://github.com/linkerd/linkerd2/pull/3955)\nfor how to get started.\n\n* CLI\n * Added the `linkerd diagnostics` command to get metrics only from the\n control plane, excluding metrics from the data plane proxies (thanks\n @srv-twry!)\n * Added the `linkerd install --prometheus-image` option for installing a\n custom Prometheus image (thanks @christyjacob4!)\n * Fixed an issue with `linkerd upgrade` where changes to the `Namespace`\n object were ignored (thanks @supra08!)\n* Controller\n * Added the `tracing` add-on which installs Jaeger and OpenCensus as add-on\n components (thanks @Pothulapati!!)\n* Proxy\n * Increased the inbound router's default capacity from 100 to 10k to\n accommodate environments that have a high cardinality of virtual hosts\n served by a single pod\n* Web UI\n * Fixed styling in the CallToAction banner (thanks @aliariff!)\n\n## edge-20.2.2\n\nThis release includes the results from continued profiling & performance\nanalysis on the Linkerd proxy. In addition to modifying internals to prevent\nunwarranted memory growth, new metrics were introduced to aid in debugging and\ndiagnostics.\n\nAlso, Linkerd's CNI plugin is out of experimental, check out the docs at\n !\n\n* CLI\n * Added support for label selectors in the `linkerd stat` command (thanks\n @mayankshah1607!)\n * Added scrolling functionality to the `linkerd top` output (thanks\n @kohsheen1234!)\n * Fixed bug in `linkerd metrics` that was causing a panic when\n port-forwarding failed (thanks @mayankshah1607!)\n * Added check to `linkerd check` verifying the number of replicas for\n Linkerd components in HA (thanks @mayankshah1607!)\n * Unified trust anchors terminology across the CLI commands\n * Removed some messages from `linkerd upgrade`'s output that are no longer\n relevant (thanks @supra08!)\n\n* Controller\n * Added support for configuring service profile retries\n `(x-linkerd-retryable)` via OpenAPI spec (thanks @kohsheen1234!)\n * Improved traffic split metrics so sources in all namespaces are shown, not\n just traffic from the traffic split's own namespace\n * Improved linkerd-identity's logs and events to help diagnosing certificate\n validation issues (thanks @mayankshah1607!)\n\n* Proxy\n * Added `request_errors_total` metric exposing the number of requests that\n receive synthesized responses due to proxy errors\n\n* Helm\n * Added a new `enforcedHostRegexp` variable to allow configuring the\n linkerd-web component enforced host (that was previously introduced to\n protect against DNS rebinding attacks) (thanks @sannimichaelse!)\n\n* Internal\n * Removed various es-lint warnings from the dashboard code (thanks\n @christyjacob4 and @kohsheen1234!)\n * Fixed go module file syntax (thanks @daxmc99!)\n\n## stable-2.7.0\n\nThis release adds support for integrating Linkerd's PKI with an external\ncertificate issuer such as [`cert-manager`] as well as streamlining the\ncertificate rotation process in general. For more details about cert-manager\nand certificate rotation, see the\n[docs](https://linkerd.io/2/tasks/use_external_certs/). This release also\nincludes performance improvements to the dashboard, reduced memory usage of\nthe proxy, various improvements to the Helm chart, and much much more.\n\nTo install this release, run: `curl https://run.linkerd.io/install | sh`\n\n**Upgrade notes**: This release includes breaking changes to our Helm charts.\nPlease see the [upgrade\ninstructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-270).\n\n**Special thanks to**: @alenkacz, @bmcstdio, @daxmc99, @droidnoob, @ereslibre,\n@javaducky, @joakimr-axis, @JohannesEH, @KIVagant, @mayankshah1607,\n@Pothulapati, and @StupidScience!\n\n**Full release notes**:\n\n* CLI\n * Updated the mTLS trust anchor checks to eliminate false positives caused\n by extra trailing spaces\n * Reduced the severity level of the Linkerd version checks, so that they\n don't fail when the external version endpoint is unreachable (thanks\n @mayankshah1607!)\n * Added a new `tap` APIService check to aid with uncovering Kubernetes API\n aggregation layer issues (thanks @droidnoob!)\n * Introduced CNI checks to confirm the CNI plugin is installed and ready;\n this is done through `linkerd check --pre --linkerd-cni-enabled` before\n installation and `linkerd check` after installation if the CNI plugin is\n present\n * Added support for the `--as-group` flag so that users can impersonate\n groups for Kubernetes operations (thanks @mayankshah1607!)\n * Added HA specific checks to `linkerd check` to ensure that the\n `kube-system` namespace has the\n `config.linkerd.io/admission-webhooks:disabled` label set\n * Fixed a problem causing the presence of unnecessary empty fields in\n generated resource definitions (thanks @mayankshah1607)\n * Added the ability to pass both port numbers and port ranges to\n `--skip-inbound-ports` and `--skip-outbound-ports` (thanks to @javaducky!)\n * Increased the comprehensiveness of `linkerd check --pre`\n * Added TLS certificate validation to `check` and `upgrade` commands\n * Added support for injecting CronJobs and ReplicaSets, as well as the\n ability to use them as targets in the CLI subcommands\n * Introduced the new flags `--identity-issuer-certificate-file`,\n `--identity-issuer-key-file` and `identity-trust-anchors-file` to `linkerd\n upgrade` to support trust anchor and issuer certificate rotation\n * Added a check that ensures using `--namespace` and `--all-namespaces`\n results in an error as they are mutually exclusive\n * Added a `Dashboard.Replicas` parameter to the Linkerd Helm chart to allow\n configuring the number of dashboard replicas (thanks @KIVagant!)\n * Removed redundant service profile check (thanks @alenkacz!)\n * Updated `uninject` command to work with namespace resources (thanks\n @mayankshah1607!)\n * Added a new `--identity-external-issuer` flag to `linkerd install` that\n configures Linkerd to use certificates issued by an external certificate\n issuer (such as `cert-manager`)\n * Added support for injecting a namespace to `linkerd inject` (thanks\n @mayankshah1607!)\n * Added checks to `linkerd check --preinstall` ensuring Kubernetes Secrets\n can be created and accessed\n * Fixed `linkerd tap` sometimes displaying incorrect pod names for unmeshed\n IPs that match multiple running pods\n * Made `linkerd install --ignore-cluster` and `--skip-checks` faster\n * Fixed a bug causing `linkerd upgrade` to fail when used with\n `--from-manifest`\n * Made `--cluster-domain` an install-only flag (thanks @bmcstdio!)\n * Updated `check` to ensure that proxy trust anchors match configuration\n (thanks @ereslibre!)\n * Added condition to the `linkerd stat` command that requires a window size\n of at least 15 seconds to work properly with Prometheus\n* Controller\n * Fixed an issue where an override of the Docker registry was not being\n applied to debug containers (thanks @javaducky!)\n * Added check for the Subject Alternate Name attributes to the API server\n when access restrictions have been enabled (thanks @javaducky!)\n * Added support for arbitrary pod labels so that users can leverage the\n Linkerd provided Prometheus instance to scrape for their own labels\n (thanks @daxmc99!)\n * Fixed an issue with CNI config parsing\n * Fixed a race condition in the `linkerd-web` service\n * Updated Prometheus to 2.15.2 (thanks @Pothulapati)\n * Increased minimum kubernetes version to 1.13.0\n * Added support for pod ip and service cluster ip lookups in the destination\n service\n * Added recommended kubernetes labels to control-plane\n * Added the `--wait-before-exit-seconds` flag to linkerd inject for the\n proxy sidecar to delay the start of its shutdown process (a huge commit\n from @KIVagant, thanks!)\n * Added a pre-sign check to the identity service\n * Fixed inject failures for pods with security context capabilities\n * Added `conntrack` to the `debug` container to help with connection\n tracking debugging\n * Fixed a bug in `tap` where mismatch cluster domain and trust domain caused\n `tap` to hang\n * Fixed an issue in the `identity` RBAC resource which caused start up\n errors in k8s 1.6 (thanks @Pothulapati!)\n * Added support for using trust anchors from an external certificate issuer\n (such as `cert-manager`) to the `linkerd-identity` service\n * Added support for headless services (thanks @JohannesEH!)\n* Helm\n * **Breaking change**: Renamed `noInitContainer` parameter to `cniEnabled`\n * **Breaking Change** Updated Helm charts to follow best practices (thanks\n @Pothulapati and @javaducky!)\n * Fixed an issue with `helm install` where the lists of ignored inbound and\n outbound ports would not be reflected\n * Fixed the `linkerd-cni` Helm chart not setting proper namespace\n annotations and labels\n * Fixed certificate issuance lifetime not being set when installing through\n Helm\n * Updated the helm build to retain previous releases\n * Moved CNI template into its own Helm chart\n* Proxy\n * Fixed an issue that could cause the OpenCensus exporter to stall\n * Improved error classification and error responses for gRPC services\n * Fixed a bug where the proxy could stop receiving service discovery\n updates, resulting in 503 errors\n * Improved debug/error logging to include detailed contextual information\n * Fixed a bug in the proxy's logging subsystem that could cause the proxy to\n consume memory until the process is OOM killed, especially when the proxy\n was configured to log diagnostic information\n * Updated proxy dependencies to address RUSTSEC-2019-0033,\n RUSTSEC-2019-0034, and RUSTSEC-2020-02\n* Web UI\n * Fixed an error when refreshing an already open dashboard when the Linkerd\n version has changed\n * Increased the speed of the dashboard by pausing network activity when the\n dashboard is not visible to the user\n * Added support for CronJobs and ReplicaSets, including new Grafana\n dashboards for them\n * Added `linkerd check` to the dashboard in the `/controlplane` view\n * Added request and response headers to the `tap` expanded view in the\n dashboard\n * Added filter to namespace select button\n * Improved how empty tables are displayed\n * Added `Host:` header validation to the `linkerd-web` service, to protect\n against DNS rebinding attacks\n * Made the dashboard sidebar component responsive\n * Changed the navigation bar color to the one used on the\n [Linkerd](https://linkerd.io/) website\n* Internal\n * Added validation to incoming sidecar injection requests that ensures the\n value of `linkerd.io/inject` is either `enabled` or `disabled` (thanks\n @mayankshah1607)\n * Upgraded the Prometheus Go client library to v1.2.1 (thanks @daxmc99!)\n * Fixed an issue causing `tap`, `injector` and `sp-validator` to use old\n certificates after `helm upgrade` due to not being restarted\n * Fixed incomplete Swagger definition of the tap api, causing benign error\n logging in the kube-apiserver\n * Removed the destination container from the linkerd-controller deployment\n as it now runs in the linkerd-destination deployment\n * Allowed the control plane to be injected with the `debug` container\n * Updated proxy image build script to support HTTP proxy options (thanks\n @joakimr-axis!)\n * Updated the CLI `doc` command to auto-generate documentation for the proxy\n configuration annotations (thanks @StupidScience!)\n * Added new `--trace-collector` and `--trace-collector-svc-account` flags to\n `linkerd inject` that configures the OpenCensus trace collector used by\n proxies in the injected workload (thanks @Pothulapati!)\n * Added a new `--control-plane-tracing` flag to `linkerd install` that\n enables distributed tracing in the control plane (thanks @Pothulapati!)\n * Added distributed tracing support to the control plane (thanks\n @Pothulapati!)\n\n## edge-20.2.1\n\nThis edge release is a release candidate for `stable-2.7` and fixes an issue\nwhere the proxy could consume inappropriate amounts of memory.\n\n* Proxy\n * Fixed a bug in the proxy's logging subsystem that could cause the proxy to\n consume memory until the process is OOM killed, especially when the proxy\n was configured to log diagnostic information\n * Fixed properly emitting `grpc-status` headers when signaling proxy errors\n to gRPC clients\n * Updated certain proxy dependencies to address RUSTSEC-2019-0033,\n RUSTSEC-2019-0034, and RUSTSEC-2020-02\n\n## edge-20.1.4\n\nThis edge release is a release candidate for `stable-2.7`.\n\nThe `linkerd check` command has been updated to improve the control plane\ndebugging experience.\n\n* CLI\n * Updated the mTLS trust anchor checks to eliminate false positives caused\n by extra trailing spaces\n * Reduced the severity level of the Linkerd version checks, so that they\n don't fail when the external version endpoint is unreachable (thanks\n @mayankshah1607!)\n * Added a new `tap` APIService check to aid with uncovering Kubernetes API\n aggregation layer issues (thanks @droidnoob!)\n\n## edge-20.1.3\n\nThis edge release is a release candidate for `stable-2.7`.\n\nAn update to the Helm charts has caused a **breaking change** for users who\nhave installed Linkerd using Helm. In order to make the purpose of the\n`noInitContainer` parameter more explicit, it has been renamed to\n`cniEnabled`.\n\n* CLI\n * Introduced CNI checks to confirm the CNI plugin is installed and ready;\n this is done through `linkerd check --pre --linkerd-cni-enabled` before\n installation and `linkerd check` after installation if the CNI plugin is\n present\n * Added support for the `--as-group` flag so that users can impersonate\n groups for Kubernetes operations (thanks @mayankshah160!)\n* Controller\n * Fixed an issue where an override of the Docker registry was not being\n applied to debug containers (thanks @javaducky!)\n * Added check for the Subject Alternate Name attributes to the API server\n when access restrictions have been enabled (thanks @javaducky!)\n * Added support for arbitrary pod labels so that users can leverage the\n Linkerd provided Prometheus instance to scrape for their own labels\n (thanks @daxmc99!)\n * Fixed an issue with CNI config parsing\n* Helm\n * **Breaking change**: Renamed `noInitContainer` parameter to `cniEnabled`\n * Fixed an issue with `helm install` where the lists of ignored inbound and\n outbound ports would not be reflected\n\n## edge-20.1.2\n\n* CLI\n * Added HA specific checks to `linkerd check` to ensure that the\n `kube-system` namespace has the\n `config.linkerd.io/admission-webhooks:disabled` label set\n * Fixed a problem causing the presence of unnecessary empty fields in\n generated resource definitions (thanks @mayankshah1607)\n* Proxy\n * Fixed an issue that could cause the OpenCensus exporter to stall\n* Internal\n * Added validation to incoming sidecar injection requests that ensures the\n value of `linkerd.io/inject` is either `enabled` or `disabled` (thanks\n @mayankshah1607)\n\n## edge-20.1.1\n\nThis edge release includes experimental improvements to the Linkerd proxy's\nrequest buffering and backpressure infrastructure.\n\nAdditionally, we've fixed several bugs when installing Linkerd with Helm,\nupdated the CLI to allow using both port numbers _and_ port ranges with the\n`--skip-inbound-ports` and `--skip-outbound-ports` flags, and fixed a\ndashboard error that can occur if the dashboard is open in a browser while\nupdating Linkerd.\n\n**Note**: The `linkerd-proxy` version included with this release is more\nexperimental than usual. We'd love your help testing, but be aware that there\nmight be stability issues.\n\n* CLI\n * Added the ability to pass both port numbers and port ranges to\n `--skip-inbound-ports` and `--skip-outbound-ports` (thanks to @javaducky!)\n* Controller\n * Fixed a race condition in the `linkerd-web` service\n * Updated Prometheus to 2.15.2 (thanks @Pothulapati)\n* Web UI\n * Fixed an error when refreshing an already open dashboard when the Linkerd\n version has changed\n* Proxy\n * Internal changes to the proxy's request buffering and backpressure\n infrastructure\n* Helm\n * Fixed the `linkerd-cni` Helm chart not setting proper namespace\n annotations and labels\n * Fixed certificate issuance lifetime not being set when installing through\n Helm\n * More improvements to Helm best practices (thanks to @Pothulapati!)\n\n## edge-19.12.3\n\nThis edge release adds support for pod IP and service cluster IP lookups,\nimproves performance of the dashboard, and makes `linkerd check --pre` perform\nmore comprehensive checks.\n\nThe `--wait-before-exit-seconds` flag has been added to allow Linkerd users to\n opt in to `preStop hooks`. The details of this change are in\n [#3798](https://github.com/linkerd/linkerd2/pull/3798).\n\nAlso, the proxy has been updated to `v2.82.0` which improves gRPC error\nclassification and [ensures that\nresolutions](https://github.com/linkerd/linkerd2/pull/3848) are released when\nthe associated balancer becomes idle.\n\nFinally, an update to follow best practices in the Helm charts has caused a\n_breaking change_. Users who have installed Linkerd using Helm must be certain\nto read the details of\n[#3822](https://github.com/linkerd/linkerd2/issues/3822)\n\n* CLI\n * Increased the comprehensiveness of `linkerd check --pre`\n * Added TLS certificate validation to `check` and `upgrade` commands\n* Controller\n * Increased minimum kubernetes version to 1.13.0\n * Added support for pod ip and service cluster ip lookups in the destination\n service\n * Added recommended kubernetes labels to control-plane\n * Added the `--wait-before-exit-seconds` flag to linkerd inject for the\n proxy sidecar to delay the start of its shutdown process (a huge commit\n from @KIVagant, thanks!)\n * Added a pre-sign check to the identity service\n* Web UI\n * Increased the speed of the dashboard by pausing network activity when the\n dashboard is not visible to the user\n* Proxy\n * Added a timeout to release resolutions to idle balancers\n * Improved error classification for gRPC services\n* Internal\n * **Breaking Change** Updated Helm charts to follow best practices using\n proper casing (thanks @Pothulapati!)\n\n## edge-19.12.2\n\n* CLI\n * Added support for injecting CronJobs and ReplicaSets, as well as the\n ability to use them as targets in the CLI subcommands\n * Introduced the new flags `--identity-issuer-certificate-file`,\n `--identity-issuer-key-file` and `identity-trust-anchors-file` to `linkerd\n upgrade` to support trust anchor and issuer certificate rotation\n* Controller\n * Fixed inject failures for pods with security context capabilities\n* Web UI\n * Added support for CronJobs and ReplicaSets, including new Grafana\n dashboards for them\n* Proxy\n * Fixed a bug where the proxy could stop receiving service discovery\n updates, resulting in 503 errors\n* Internal\n * Moved CNI template into a Helm chart to prepare for future publication\n * Upgraded the Prometheus Go client library to v1.2.1 (thanks @daxmc99!)\n * Reenabled certificates rotation integration tests\n\n## edge-19.12.1\n\n* CLI\n * Added condition to the `linkerd stat` command that requires a window size\n of at least 15 seconds to work properly with Prometheus\n* Internal\n * Fixed whitespace path handling in non-docker build scripts (thanks\n @joakimr-axis!)\n * Removed Calico logutils dependency that was incompatible with Go 1.13\n * Updated Helm templates to use fully-qualified variable references based\n upon Helm best practices (thanks @javaducky!)\n\n## edge-19.11.3\n\n* CLI\n * Added a check that ensures using `--namespace` and `--all-namespaces`\n results in an error as they are mutually exclusive\n* Internal\n * Fixed an issue causing `tap`, `injector` and `sp-validator` to use old\n certificates after `helm upgrade` due to not being restarted\n * Fixed incomplete Swagger definition of the tap api, causing benign error\n logging in the kube-apiserver\n\n## edge-19.11.2\n\n* CLI\n * Added a `Dashboard.Replicas` parameter to the Linkerd Helm chart to allow\n configuring the number of dashboard replicas (thanks @KIVagant!)\n * Removed redundant service profile check (thanks @alenkacz!)\n* Web UI\n * Added `linkerd check` to the dashboard in the `/controlplane` view\n * Added request and response headers to the `tap` expanded view in the\n dashboard\n* Internal\n * Removed the destination container from the linkerd-controller deployment\n as it now runs in the linkerd-destination deployment\n * Upgraded Go to version 1.13.4\n\n## edge-19.11.1\n\n* CLI\n * Updated `uninject` command to work with namespace resources (thanks\n @mayankshah1607!)\n* Controller\n * Added `conntrack` to the `debug` container to help with connection\n tracking debugging\n * Fixed a bug in `tap` where mismatch cluster domain and trust domain caused\n `tap` to hang\n * Fixed an issue in the `identity` RBAC resource which caused start up\n errors in k8s 1.6 (thanks @Pothulapati!)\n* Proxy\n * Improved debug/error logging to include detailed contextual information\n* Web UI\n * Added filter to namespace select button\n * Improved how empty tables are displayed\n* Internal\n * Added integration test for custom cluster domain\n * Allowed the control plane to be injected with the `debug` container\n * Updated proxy image build script to support HTTP proxy options (thanks\n @joakimr-axis!)\n * Updated the CLI `doc` command to auto-generate documentation for the proxy\n configuration annotations (thanks @StupidScience!)\n\n## edge-19.10.5\n\nThis edge release adds support for integrating Linkerd's PKI with an external\ncertificate issuer such as [`cert-manager`], adds distributed tracing support\nto the Linkerd control plane, and adds protection against DNS rebinding\nattacks to the web dashboard. In addition, it includes several improvements to\nthe Linkerd CLI.\n\n* CLI\n * Added a new `--identity-external-issuer` flag to `linkerd install` that\n configures Linkerd to use certificates issued by an external certificate\n issuer (such as `cert-manager`)\n * Added support for injecting a namespace to `linkerd inject` (thanks\n @mayankshah1607!)\n * Added checks to `linkerd check --preinstall` ensuring Kubernetes Secrets\n can be created and accessed\n * Fixed `linkerd tap` sometimes displaying incorrect pod names for unmeshed\n IPs that match multiple running pods\n* Controller\n * Added support for using trust anchors from an external certificate issuer\n (such as `cert-manager`) to the `linkerd-identity` service\n* Web UI\n * Added `Host:` header validation to the `linkerd-web` service, to protect\n against DNS rebinding attacks\n* Internal\n * Added new `--trace-collector` and `--trace-collector-svc-account` flags to\n `linkerd inject` that configures the OpenCensus trace collector used by\n proxies in the injected workload (thanks @Pothulapati!)\n * Added a new `--control-plane-tracing` flag to `linkerd install` that\n enables distributed tracing in the control plane (thanks @Pothulapati!)\n * Added distributed tracing support to the control plane (thanks\n @Pothulapati!)\n\nAlso, thanks to @joakimr-axis for several fixes and improvements to internal\nbuild scripts!\n\n[`cert-manager`]: https://github.com/jetstack/cert-manager\n\n## edge-19.10.4\n\nThis edge release adds dashboard UX enhancements, and improves the speed of\nthe CLI.\n\n* CLI\n * Made `linkerd install --ignore-cluster` and `--skip-checks` faster\n * Fixed a bug causing `linkerd upgrade` to fail when used with\n `--from-manifest`\n* Web UI\n * Made the dashboard sidebar component responsive\n * Changed the navigation bar color to the one used on the\n [Linkerd](https://linkerd.io/) website\n\n## edge-19.10.3\n\nThis edge release adds support for headless services, improves the upgrade\nprocess after installing Linkerd with a custom cluster domain, and enhances\nthe `check` functionality to report invalid trust anchors.\n\n* CLI\n * Made `--cluster-domain` an install-only flag (thanks @bmcstdio!)\n * Updated `check` to ensure that proxy trust anchors match configuration\n (thanks @ereslibre!)\n* Controller\n * Added support for headless services (thanks @JohannesEH!)\n* Helm\n * Updated the helm build to retain previous releases\n\n## stable-2.6.0\n\nThis release introduces distributed tracing support, adds request and response\nheaders to `linkerd tap`, dramatically improves the performance of the\ndashboard on large clusters, adds traffic split visualizations to the\ndashboard, adds a public Helm repo, and many more improvements!\n\nFor more details, see the announcement blog post:\n\n\nTo install this release, run: `curl https://run.linkerd.io/install | sh`\n\n**Upgrade notes**: Please see the [upgrade\ninstructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-6-0).\n\n**Special thanks to**: @alenkacz, @arminbuerkle, @bmcstdio, @bourquep,\n@brianstorti, @kevtaylor, @KIVagant, @pierDipi, and @Pothulapati!\n\n**Full release notes**:\n\n* CLI\n * Added a new `json` output option to the `linkerd tap` command, which\n exposes request and response headers\n * Added a public Helm repo - for full installation instructions, see our\n [Helm documentation](https://linkerd.io/2/tasks/install-helm/).\n * Added an `--address` flag to `linkerd dashboard`, allowing users to\n specify a port-forwarding address (thanks @bmcstdio!)\n * Added node selector constraints to Helm installation, so users can control\n which nodes the control plane is deployed to (thanks @bmcstdio!)\n * Added a `--cluster-domain` flag to the `linkerd install` command that\n allows setting a custom cluster domain (thanks @arminbuerkle!)\n * Added a `--disable-heartbeat` flag for `linkerd install | upgrade`\n commands\n * Allowed disabling namespace creation when installing Linkerd using Helm\n (thanks @KIVagant!)\n * Improved the error message when the CLI cannot connect to Kubernetes\n (thanks @alenkacz!)\n* Controller\n * Updated the Prometheus config to keep only needed `cadvisor` metrics,\n substantially reducing the number of time-series stored in most clusters\n * Introduced `config.linkerd.io/trace-collector` and\n `config.alpha.linkerd.io/trace-collector-service-account` pod spec\n annotations to support per-pod tracing\n * Instrumented the proxy injector to provide additional metrics about\n injection (thanks @Pothulapati!)\n * Added Kubernetes events (and log lines) when the proxy injector injects a\n deployment, and when injection is skipped\n * Fixed a workload admission error between the Kubernetes apiserver and the\n HA proxy injector, by allowing workloads in a namespace to be omitted from\n the admission webhooks phase using the\n `config.linkerd.io/admission-webhooks: disabled` label (thanks\n @hasheddan!)\n * Fixed proxy injector timeout during a large number of concurrent\n injections\n * Added support for disabling the heartbeat cronjob (thanks @kevtaylor!)\n* Proxy\n * Added distributed tracing support\n * Decreased proxy Docker image size by removing bundled debug tools\n * Added 587 (SMTP) to the list of ports to ignore in protocol detection\n (bound to server-speaks-first protocols) (thanks @brianstorti!)\n* Web UI\n * Redesigned dashboard navigation so workloads are now viewed by namespace,\n with an \"All Namespaces\" option, in order to increase dashboard speed\n * Added Traffic Splits as a resource to the dashboard, including a Traffic\n Split detail page\n * Added a `Linkerd Namespace` Grafana dashboard, allowing users to view\n historical data for a given namespace, similar to CLI output for `linkerd\n stat deploy -n myNs` (thanks @bourquep!)\n * Fixed bad request in the top routes tab on empty fields (thanks\n @pierDipi!)\n* Internal\n * Moved CI from Travis to GitHub Actions\n * Added requirement for Go `1.12.9` for controller builds to include\n security fixes\n * Added support for Kubernetes `1.16`\n * Upgraded client-go to `v12.0.0`\n\n## edge-19.10.2\n\nThis edge release is a release candidate for `stable-2.6`.\n\n* Controller\n * Added the destination container back to the controller; it had previously\n been separated into its own deployment. This ensures backwards\n compatibility and allows users to avoid data plane downtime during an\n upcoming upgrade to `stable-2.6`.\n\n## edge-19.10.1\n\nThis edge release is a release candidate for `stable-2.6`.\n\n* Proxy\n * Improved error logging when the proxy fails to emit trace spans\n * Fixed bug in distributed tracing where trace ids with fewer than 16 bytes\n were discarded\n* Internal\n * Added integration tests for `linkerd edges` and `linkerd endpoints`\n\n## edge-19.9.5\n\nThis edge release is a release candidate for `stable-2.6`.\n\n* Helm\n * Added node selector constraints, so users can control which nodes the\n control plane is deployed to (thanks @bmcstdio!)\n* CLI\n * Added request and response headers to the JSON output option for `linkerd\n tap`\n\n## edge-19.9.4\n\nThis edge release introduces experimental support for distributed tracing as\nwell as a redesigned sidebar in the Web UI!\n\nExperimental support for distributed tracing means that Linkerd data plane\nproxies can now emit trace spans, allowing you to see the exact amount of time\nspent in the Linkerd proxy for traced requests. The new\n`config.linkerd.io/trace-collector` and\n`config.alpha.linkerd.io/trace-collector-service-account` tracing annotations\nallow specifying which pods should emit trace spans.\n\nThe goal of the dashboard's sidebar redesign was to reduce load on Prometheus\nand simplify navigation by providing top-level views centered around\nnamespaces and workloads.\n\n* CLI\n * Introduced a new `--cluster-domain` flag to the `linkerd install` command\n that allows setting a custom cluster domain (thanks @arminbuerkle!)\n * Fixed the `linkerd endpoints` command to use the correct Destination API\n address (thanks @Pothulapati!)\n * Added `--disable-heartbeat` flag for `linkerd` `install|upgrade` commands\n* Controller\n * Instrumented the proxy-injector to provide additional metrics about\n injection (thanks @Pothulapati!)\n * Added support for `config.linkerd.io/admission-webhooks: disabled` label\n on namespaces so that the pods creation events in these namespaces are\n ignored by the proxy injector; this fixes situations in HA deployments\n where the proxy-injector is installed in `kube-system` (thanks\n @hasheddan!)\n * Introduced `config.linkerd.io/trace-collector` and\n `config.alpha.linkerd.io/trace-collector-service-account` pod spec\n annotations to support per-pod tracing\n* Web UI\n * Workloads are now viewed by namespace, with an \"All Namespaces\" option, to\n improve dashboard performance\n* Proxy\n * Added experimental distributed tracing support\n\n## edge-19.9.3\n\n* Helm\n * Allowed disabling namespace creation during install (thanks @KIVagant!)\n* CLI\n * Added a new `json` output option to the `linkerd tap` command\n* Controller\n * Fixed proxy injector timeout during a large number of concurrent\n injections\n * Separated the destination controller into its own separate deployment\n * Updated Prometheus config to keep only needed `cadvisor` metrics,\n substantially reducing the number of time-series stored in most clusters\n* Web UI\n * Fixed bad request in the top routes tab on empty fields (thanks\n @pierDipi!)\n* Proxy\n * Fixes to the client's backoff logic\n * Added 587 (SMTP) to the list of ports to ignore in protocol detection\n (bound to server-speaks-first protocols) (thanks @brianstorti!)\n\n## edge-19.9.2\n\nMuch of our effort has been focused on improving our build and test\ninfrastructure, but this edge release lays the groundwork for some big new\nfeatures to land in the coming releases!\n\n* Helm\n * There's now a public Helm repo! This release can be installed with: `helm\n repo add linkerd-edge https://helm.linkerd.io/edge && helm install\n linkerd-edge/linkerd2`\n * Improved TLS credential parsing by ignoring spurious newlines\n* Proxy\n * Decreased proxy-init Docker image size by removing bundled debug tools\n* Web UI\n * Fixed an issue where the edges table could end up with duplicates\n * Added an icon to more clearly label external links\n* Internal\n * Upgraded client-go to v12.0.0\n * Moved CI from Travis to GitHub Actions\n\n## edge-19.9.1\n\nThis edge release adds traffic splits into the Linkerd dashboard as well as a\nvariety of other improvements.\n\n* CLI\n * Improved the error message when the CLI cannot connect to Kubernetes\n (thanks @alenkacz!)\n * Added `--address` flag to `linkerd dashboard` (thanks @bmcstdio!)\n* Controller\n * Fixed an issue where the proxy-injector had insufficient RBAC permissions\n * Added support for disabling the heartbeat cronjob (thanks @kevtaylor!)\n* Proxy\n * Decreased proxy Docker image size by removing bundled debug tools\n * Fixed an issue where the incorrect content-length could be set for GET\n requests with bodies\n* Web UI\n * Added trafficsplits as a resource to the dashboard, including a\n trafficsplit detail page\n* Internal\n * Added support for Kubernetes 1.16\n\n## edge-19.8.7\n\n* Controller\n * Added Kubernetes events (and log lines) when the proxy injector injects a\n deployment, and when injection is skipped\n * Additional preparation for configuring the cluster base domain (thanks\n @arminbuerkle!)\n* Proxy\n * Changed the proxy to require the `LINKERD2_PROXY_DESTINATION_SVC_ADDR`\n environment variable when starting up\n* Web UI\n * Increased dashboard speed by consolidating existing Prometheus queries\n\n## edge-19.8.6\n\nA new Grafana dashboard has been added which shows historical data for a\nselected namespace. The build process for controller components now requires\n`Go 1.12.9`. Additional contributions were made towards support for custom\ncluster domains.\n\n* Web UI\n * Added a `Linkerd Namespace` Grafana dashboard, allowing users to view\n historical data for a given namespace, similar to CLI output for `linkerd\n stat deploy -n myNs` (thanks @bourquep!)\n* Internal\n * Added requirement for Go `1.12.9` for controller builds to include\n security fixes\n * Set `LINKERD2_PROXY_DESTINATION_GET_SUFFIXES` proxy environment variable,\n in preparation for custom cluster domain support (thanks @arminbuerkle!)\n\n## stable-2.5.0\n\nThis release adds [Helm support](https://linkerd.io/2/tasks/install-helm/),\n[tap authentication and authorization via RBAC](https://linkerd.io/tap-rbac),\ntraffic split stats, dynamic logging levels, a new cluster monitoring\ndashboard, and countless performance enhancements and bug fixes.\n\nFor more details, see the announcement blog post:\n\n\nTo install this release, run: `curl https://run.linkerd.io/install | sh`\n\n**Upgrade notes**: Use the `linkerd upgrade` command to upgrade the control\nplane. This command ensures that all existing control plane's configuration\nand mTLS secrets are retained. For more details, please see the [upgrade\ninstructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-5-0).\n\n**Special thanks to**: @alenkacz, @codeman9, @ethan-daocloud, @jonathanbeber,\nand @Pothulapati!\n\n**Full release notes**:\n\n* CLI\n * **New** Updated `linkerd tap`, `linkerd top` and `linkerd profile --tap`\n to require `tap.linkerd.io` RBAC privileges. See\n for more info\n * **New** Added traffic split metrics via `linkerd stat trafficsplits`\n subcommand\n * Made the `linkerd routes` command traffic split aware\n * Introduced the `linkerd --as` flag which allows users to impersonate\n another user for Kubernetes operations\n * Introduced the `--all-namespaces` (`-A`) option to the `linkerd get`,\n `linkerd edges` and `linkerd stat` commands to retrieve resources across\n all namespaces\n * Improved the installation report produced by the `linkerd check` command\n to include the control plane pods' live status\n * Fixed bug in the `linkerd upgrade config` command that was causing it to\n crash\n * Introduced `--use-wait-flag` to the `linkerd install-cni` command, to\n configure the CNI plugin to use the `-w` flag for `iptables` commands\n * Introduced `--restrict-dashboard-privileges` flag to `linkerd install`\n command, to disallow tap in the dashboard\n * Fixed `linkerd uninject` not removing `linkerd.io/inject: enabled`\n annotations\n * Fixed `linkerd stat -h` example commands (thanks @ethan-daocloud!)\n * Fixed incorrect \"meshed\" count in `linkerd stat` when resources share the\n same label selector for pods (thanks @jonathanbeber!)\n * Added pod status to the output of the `linkerd stat` command (thanks\n @jonathanbeber!)\n * Added namespace information to the `linkerd edges` command output and a\n new `-o wide` flag that shows the identity of the client and server if\n known\n * Added a check to the `linkerd check` command to validate the user has\n privileges necessary to create CronJobs\n * Added a new check to the `linkerd check --pre` command validating that if\n PSP is enabled, the NET_RAW capability is available\n* Controller\n * **New** Disabled all unauthenticated tap endpoints. Tap requests now\n require [RBAC authentication and\n authorization](https://linkerd.io/tap-rbac)\n * The `l5d-require-id` header is now set on tap requests so that a\n connection is established over TLS\n * Introduced a new RoleBinding in the `kube-system` namespace to provide\n [access to tap](https://linkerd.io/tap-rbac)\n * Added HTTP security headers on all dashboard responses\n * Added support for namespace-level proxy override annotations (thanks\n @Pothulapati!)\n * Added resource limits when HA is enabled (thanks @Pothulapati!)\n * Added pod anti-affinity rules to the control plane pods when HA is enabled\n (thanks @Pothulapati!)\n * Fixed a crash in the destination service when an endpoint does not have a\n `TargetRef`\n * Updated the destination service to return `InvalidArgument` for external\n name services so that the proxy does not immediately fail the request\n * Fixed an issue with discovering StatefulSet pods via their unique hostname\n * Fixed an issue with traffic split where outbound proxy stats are missing\n * Upgraded the service profile CRD to v1alpha2. No changes required for\n users currently using v1alpha1\n * Updated the control plane's pod security policy to restrict workloads from\n running as `root` in the CNI mode (thanks @codeman9!)\n * Introduced optional cluster heartbeat cron job\n * Bumped Prometheus to 2.11.1\n * Bumped Grafana to 6.2.5\n* Proxy\n * **New** Added a new `/proxy-log-level` endpoint to update the log level at\n runtime\n * **New** Updated the tap server to only admit requests from the control\n plane's tap controller\n * Added `request_handle_us` histogram to measure proxy overhead\n * Fixed gRPC client cancellations getting recorded as failures rather than\n as successful\n * Fixed a bug where tap would stop streaming after a short amount of time\n * Fixed a bug that could cause the proxy to leak service discovery\n resolutions to the Destination controller\n* Web UI\n * **New** Added \"Kubernetes cluster monitoring\" Grafana dashboard with\n cluster and containers metrics\n * Updated the web server to use the new tap APIService. If the `linkerd-web`\n service account is not authorized to tap resources, users will see a link\n to documentation to remedy the error\n\n## edge-19.8.5\n\nThis edge release is a release candidate for `stable-2.5`.\n\n* CLI\n * Fixed CLI filepath issue on Windows\n* Proxy\n * Fixed gRPC client cancellations getting recorded as failures rather than\n as successful\n\n## edge-19.8.4\n\nThis edge release is a release candidate for `stable-2.5`.\n\n* CLI\n * Introduced `--use-wait-flag` to the `linkerd install-cni` command, to\n configure the CNI plugin to use the `-w` flag for `iptables` commands\n* Controller\n * Disabled the tap gRPC server listener. All tap requests now require RBAC\n authentication and authorization\n\n## edge-19.8.3\n\nThis edge release introduces a new `linkerd stat trafficsplits` subcommand, to\nshow traffic split metrics. It also introduces a \"Kubernetes cluster\nmonitoring\" Grafana dashboard.\n\n* CLI\n * Added traffic split metrics via `linkerd stat trafficsplits` subcommand\n * Fixed `linkerd uninject` not removing `linkerd.io/inject: enabled`\n annotations\n * Fixed `linkerd stat -h` example commands (thanks @ethan-daocloud!)\n* Controller\n * Added support for namespace-level proxy override annotations\n * Removed unauthenticated tap from the Public API\n* Proxy\n * Added `request_handle_us` histogram to measure proxy overhead\n * Updated the tap server to only admit requests from the control plane's tap\n controller\n * Fixed a bug where tap would stop streaming after a short amount of time\n * Fixed a bug that could cause the proxy to leak service discovery\n resolutions to the Destination controller\n* Web UI\n * Added \"Kubernetes cluster monitoring\" Grafana dashboard with cluster and\n containers metrics\n* Internal\n * Updated `linkerd install` and `linkerd upgrade` to use Helm charts for\n templating\n * Pinned Helm tooling to `v2.14.3`\n * Added Helm integration tests\n * Added container CPU and memory usage to `linkerd-heartbeat` requests\n * Removed unused inject code (thanks @alenkacz!)\n\n## edge-19.8.2\n\nThis edge release introduces the new Linkerd control plane Helm chart, named\n`linkerd2`. Helm users can now install and remove the Linkerd control plane by\nusing the `helm install` and `helm delete` commands. Proxy injection also now\nuses Helm charts.\n\nNo changes were made to the existing `linkerd install` behavior.\n\nFor detailed installation steps using Helm, see the notes for\n[#3146](https://github.com/linkerd/linkerd2/pull/3146).\n\n* CLI\n * Updated `linkerd top` and `linkerd profile --tap` to require\n `tap.linkerd.io` RBAC privileges, see for\n more info\n * Modified `tap.linkerd.io` APIService to enable usage in `kubectl auth\n can-i` commands\n * Introduced `--restrict-dashboard-privileges` flag to `linkerd install`\n command, to restrict the dashboard's default privileges to disallow tap\n* Controller\n * Introduced a new ClusterRole, `linkerd-linkerd-tap-admin`, which gives\n cluster-wide tap privileges. Also introduced a new ClusterRoleBinding,\n `linkerd-linkerd-web-admin`, which binds the `linkerd-web` service account\n to the new tap ClusterRole\n * Removed successfully completed `linkerd-heartbeat` jobs from pod listing\n in the linkerd control plane to streamline `get po` output (thanks\n @Pothulapati!)\n* Web UI\n * Updated the web server to use the new tap APIService. If the `linkerd-web`\n service account is not authorized to tap resources, users will see a link\n to documentation to remedy the error\n\n## edge-19.8.1\n\n### Significant Update\n\nThis edge release introduces a new tap APIService. The Kubernetes apiserver\nauthenticates the requesting tap user and then forwards tap requests to the\nnew tap APIServer. The `linkerd tap` command now makes requests against the\nAPIService.\n\nWith this release, users must be authorized via RBAC to use the `linkerd tap`\ncommand. Specifically `linkerd tap` requires the `watch` verb on all resources\nin the `tap.linkerd.io/v1alpha1` APIGroup. More granular access is also\navailable via sub-resources such as `deployments/tap` and `pods/tap`.\n\n* CLI\n * Added a check to the `linkerd check` command to validate the user has\n privileges necessary to create CronJobs\n * Introduced the `linkerd --as` flag which allows users to impersonate\n another user for Kubernetes operations\n * The `linkerd tap` command now makes requests against the tap APIService\n* Controller\n * Added HTTP security headers on all dashboard responses\n * Fixed nil pointer dereference in the destination service when an endpoint\n does not have a `TargetRef`\n * Added resource limits when HA is enabled\n * Added RSA support to TLS libraries\n * Updated the destination service to return `InvalidArgument` for external\n name services so that the proxy does not immediately fail the request\n * The `l5d-require-id` header is now set on tap requests so that a\n connection is established over TLS\n * Introduced the `APIService/v1alpha1.tap.linkerd.io` global resource\n * Introduced the `ClusterRoleBinding/linkerd-linkerd-tap-auth-delegator`\n global resource\n * Introduced the `Secret/linkerd-tap-tls` resource into the `linkerd`\n namespace\n * Introduced the `RoleBinding/linkerd-linkerd-tap-auth-reader` resource into\n the `kube-system` namespace\n* Proxy\n * Added the `LINKERD2_PROXY_TAP_SVC_NAME` environment variable so that the\n tap server attempts to authorize client identities\n* Internal\n * Replaced `dep` with Go modules for dependency management\n\n## edge-19.7.5\n\n* CLI\n * Improved the installation report produced by the `linkerd check` command\n to include the control plane pods' live status\n * Added the `--all-namespaces` (`-A`) option to the `linkerd get`, `linkerd\n edges` and `linkerd stat` commands to retrieve resources across all\n namespaces\n* Controller\n * Fixed an issue with discovering StatefulSet pods via their unique hostname\n * Fixed an issue with traffic split where outbound proxy stats are missing\n * Bumped Prometheus to 2.11.1\n * Bumped Grafana to 6.2.5\n * Upgraded the service profile CRD to v1alpha2 where the openAPIV3Schema\n validation is replaced by a validating admission webhook. No changes\n required for users currently using v1alpha1\n * Updated the control plane's pod security policy to restrict workloads from\n running as `root` in the CNI mode (thanks @codeman9!)\n * Introduced cluster heartbeat cron job\n* Proxy\n * Introduced the `l5d-require-id` header to enforce TLS outbound\n communication from the Tap server\n\n## edge-19.7.4\n\n* CLI\n * Made the `linkerd routes` command traffic-split aware\n * Fixed bug in the `linkerd upgrade config` command that was causing it to\n crash\n * Added pod status to the output of the `linkerd stat`command (thanks\n @jonathanbeber!)\n * Fixed incorrect \"meshed\" count in `linkerd stat` when resources share the\n same label selector for pods (thanks @jonathanbeber!)\n * Added namespace information to the `linkerd edges` command output and a\n new `-o wide` flag that shows the identity of the client and server if\n known\n * Added a new check to the `linkerd check --pre` command validating that if\n PSP is enabled, the NET_RAW capability is available\n* Controller\n * Added pod anti-affinity rules to the control plane pods when HA is enabled\n (thanks @Pothulapati!)\n* Proxy\n * Improved performance by using a constant-time load balancer\n * Added a new `/proxy-log-level` endpoint to update the log level at runtime\n\n## stable-2.4.0\n\nThis release adds traffic splitting functionality, support for the Kubernetes\nService Mesh Interface (SMI), graduates high-availability support out of\nexperimental status, and adds a tremendous list of other improvements,\nperformance enhancements, and bug fixes.\n\nLinkerd's new traffic splitting feature allows users to dynamically control\nthe percentage of traffic destined for a service. This powerful feature can be\nused to implement rollout strategies like canary releases and blue-green\ndeploys. Support for the [Service Mesh Interface](https://smi-spec.io) (SMI)\nmakes it easier for ecosystem tools to work across all service mesh\nimplementations.\n\nAlong with the introduction of optional install stages via the `linkerd\ninstall config` and `linkerd install control-plane` commands, the default\nbehavior of the `linkerd inject` command only adds annotations and defers\ninjection to the always-installed proxy injector component.\n\nFinally, there have been many performance and usability improvements to the\nproxy and UI, as well as production-ready features including:\n\n* A new `linkerd edges` command that provides fine-grained observability into\n the TLS-based identity system\n* A `--enable-debug-sidecar` flag for the `linkerd inject` command that\n improves debugging efforts\n\nLinkerd recently passed a CNCF-sponsored security audit! Check out the\nin-depth report\n[here](https://github.com/linkerd/linkerd2/blob/master/SECURITY_AUDIT.pdf).\n\nTo install this release, run: `curl https://run.linkerd.io/install | sh`\n\n**Upgrade notes**: Use the `linkerd upgrade` command to upgrade the control\nplane. This command ensures that all existing control plane's configuration\nand mTLS secrets are retained. For more details, please see the [upgrade\ninstructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-4-0)\nfor more details.\n\n**Special thanks to**: @alenkacz, @codeman9, @dwj300, @jackprice, @liquidslr,\n@matej-g, @Pothulapati, @zaharidichev\n\n**Full release notes**:\n\n* CLI\n * **Breaking Change** Removed the `--proxy-auto-inject` flag, as the proxy\n injector is now always installed\n * **Breaking Change** Replaced the `--linkerd-version` flag with the\n `--proxy-version` flag in the `linkerd install` and `linkerd upgrade`\n commands, which allows setting the version for the injected proxy sidecar\n image, without changing the image versions for the control plane\n * Introduced install stages: `linkerd install config` and `linkerd install\n control-plane`\n * Introduced upgrade stages: `linkerd upgrade config` and `linkerd upgrade\n control-plane`\n * Introduced a new `--from-manifests` flag to `linkerd upgrade` allowing\n manually feeding a previously saved output of `linkerd install` into the\n command, instead of requiring a connection to the cluster to fetch the\n config\n * Introduced a new `--manual` flag to `linkerd inject` to output the proxy\n sidecar container spec\n * Introduced a new `--enable-debug-sidecar` flag to `linkerd inject`, that\n injects a debug sidecar to inspect traffic to and from the meshed pod\n * Added a new check for unschedulable pods and PSP issues (thanks,\n @liquidslr!)\n * Disabled the spinner in `linkerd check` when running without a TTY\n * Ensured the ServiceAccount for the proxy injector is created before its\n Deployment to avoid warnings when installing the proxy injector (thanks,\n @dwj300!)\n * Added a `linkerd check config` command for verifying that `linkerd install\n config` was successful\n * Improved the help documentation of `linkerd install` to clarify flag usage\n * Added support for private Kubernetes clusters by changing the CLI to\n connect to the control plane using a port-forward (thanks, @jackprice!)\n * Fixed `linkerd check` and `linkerd dashboard` failing when any control\n plane pod is not ready, even when multiple replicas exist (as in HA mode)\n * **New** Added a `linkerd edges` command that shows the source and\n destination name and identity for proxied connections, to assist in\n debugging\n * Tap can now be disabled for specific pods during injection by using the\n `--disable-tap` flag, or by using the `config.linkerd.io/disable-tap`\n annotation\n * Introduced pre-install healthcheck for clock skew (thanks, @matej-g!)\n * Added a JSON option to the `linkerd edges` command so that output is\n scripting friendly and can be parsed easily (thanks @alenkacz!)\n * Fixed an issue when Linkerd is installed with `--ha`, running `linkerd\n upgrade` without `--ha` will disable the high availability control plane\n * Fixed an issue with `linkerd upgrade` where running without `--ha` would\n unintentionally disable high availability features if they were previously\n enabled\n * Added a `--init-image-version` flag to `linkerd inject` to override the\n injected proxy-init container version\n * Added the `--linkerd-cni-enabled` flag to the `install` subcommands so\n that `NET_ADMIN` capability is omitted from the CNI-enabled control\n plane's PSP\n * Updated `linkerd check` to validate the caller can create\n `PodSecurityPolicy` resources\n * Added a check to `linkerd install` to prevent installing multiple control\n planes into different namespaces avoid conflicts between global resources\n * Added support for passing a URL directly to `linkerd inject` (thanks\n @Pothulapati!)\n * Added more descriptive output to the `linkerd check` output for control\n plane ReplicaSet readiness\n * Refactored the `linkerd endpoints` to use the same interface as used by\n the proxy for service discovery information\n * Fixed a bug where `linkerd inject` would fail when given a path to a file\n outside the current directory\n * Graduated high-availability support out of experimental status\n * Modified the error message for `linkerd install` to provide instructions\n for proceeding when an existing installation is found\n* Controller\n * Added Go pprof HTTP endpoints to all control plane components' admin\n servers to better assist debugging efforts\n * Fixed bug in the proxy injector, where sporadically the pod workload owner\n wasn't properly determined, which would result in erroneous stats\n * Added support for a new `config.linkerd.io/disable-identity` annotation to\n opt out of identity for a specific pod\n * Fixed pod creation failure when a `ResourceQuota` exists by adding a\n default resource spec for the proxy-init init container\n * Fixed control plane components failing on startup when the Kubernetes API\n returns an `ErrGroupDiscoveryFailed`\n * Added Controller Component Labels to the webhook config resources (thanks,\n @Pothulapati!)\n * Moved the tap service into its own pod\n * **New** Control plane installations now generate a self-signed certificate\n and private key pair for each webhook, to prepare for future work to make\n the proxy injector and service profile validator HA\n * Added the `config.linkerd.io/enable-debug-sidecar` annotation allowing the\n `--enable-debug-sidecar` flag to work when auto-injecting Linkerd proxies\n * Added multiple replicas for the `proxy-injector` and `sp-validator`\n controllers when run in high availability mode (thanks to @Pothulapati!)\n * Defined least privilege default security context values for the proxy\n container so that auto-injection does not fail (thanks @codeman9!)\n * Default the webhook failure policy to `Fail` in order to account for\n unexpected errors during auto-inject; this ensures uninjected applications\n are not deployed\n * Introduced control plane's PSP and RBAC resources into Helm templates;\n these policies are only in effect if the PSP admission controller is\n enabled\n * Removed `UPDATE` operation from proxy-injector webhook because pod\n mutations are disallowed during update operations\n * Default the mutating and validating webhook configurations `sideEffects`\n property to `None` to indicate that the webhooks have no side effects on\n other resources (thanks @Pothulapati!)\n * Added support for the SMI TrafficSplit API which allows users to define\n traffic splits in TrafficSplit custom resources\n * Added the `linkerd.io/control-plane-ns` label to all Linkerd resources\n allowing them to be identified using a label selector\n * Added Prometheus metrics for the Kubernetes watchers in the destination\n service for better visibility\n* Proxy\n * Replaced the fixed reconnect backoff with an exponential one (thanks,\n @zaharidichev!)\n * Fixed an issue where load balancers can become stuck\n * Added a dispatch timeout that limits the amount of time a request can be\n buffered in the proxy\n * Removed the limit on the number of concurrently active service discovery\n queries to the destination service\n * Fix an epoll notification issue that could cause excessive CPU usage\n * Added the ability to disable tap by setting an env var (thanks,\n @zaharidichev!)\n * Changed the proxy's routing behavior so that, when the control plane does\n not resolve a destination, the proxy forwards the request with minimal\n additional routing logic\n * Fixed a bug in the proxy's HPACK codec that could cause requests with very\n large header values to hang indefinitely\n * Fixed a memory leak that can occur if an HTTP/2 request with a payload\n ends before the entire payload is sent to the destination\n * The `l5d-override-dst` header is now used for inbound service profile\n discovery\n * Added errors totals to `response_total` metrics\n * Changed the load balancer to require that Kubernetes services are resolved\n via the control plane\n * Added the `NET_RAW` capability to the proxy-init container to be\n compatible with `PodSecurityPolicy`s that use `drop: all`\n * Fixed the proxy rejecting HTTP2 requests that don't have an `:authority`\n * Improved idle service eviction to reduce resource consumption for clients\n that send requests to many services\n * Fixed proxied HTTP/2 connections returning 502 errors when the upstream\n connection is reset, rather than propagating the reset to the client\n * Changed the proxy to treat unexpected HTTP/2 frames as stream errors\n rather than connection errors\n * Fixed a bug where DNS queries could persist longer than necessary\n * Improved router eviction to remove idle services in a more timely manner\n * Fixed a bug where the proxy would fail to process requests with obscure\n characters in the URI\n* Web UI\n * Added the Font Awesome stylesheet locally; this allows both Font Awesome\n and Material-UI sidebar icons to display consistently with no/limited\n internet access (thanks again, @liquidslr!)\n * Removed the Authorities table and sidebar link from the dashboard to\n prepare for a new, improved dashboard view communicating authority data\n * Fixed dashboard behavior that caused incorrect table sorting\n * Removed the \"Debug\" page from the Linkerd dashboard while the\n functionality of that page is being redesigned\n * Added an Edges table to the resource detail view that shows the source,\n destination name, and identity for proxied connections\n * Improved UI for Edges table in dashboard by changing column names, adding\n a \"Secured\" icon and showing an empty Edges table in the case of no\n returned edges\n* Internal\n * Known container errors were hidden in the integration tests; now they are\n reported in the output without having the tests fail\n * Fixed integration tests by adding known proxy-injector log warning to\n tests\n * Modified the integration test for `linkerd upgrade` in order to test\n upgrading from the latest stable release instead of the latest edge and\n reflect the typical use case\n * Moved the proxy-init container to a separate `linkerd/proxy-init` Git\n repository\n\n## edge-19.7.3\n\n* CLI\n * Graduated high-availability support out of experimental status\n * Modified the error message for `linkerd install` to provide instructions\n for proceeding when an existing installation is found\n* Controller\n * Added Prometheus metrics for the Kubernetes watchers in the destination\n service for better visibility\n\n## edge-19.7.2\n\n* CLI\n * Refactored the `linkerd endpoints` to use the same interface as used by\n the proxy for service discovery information\n * Fixed a bug where `linkerd inject` would fail when given a path to a file\n outside the current directory\n* Proxy\n * Fixed a bug where DNS queries could persist longer than necessary\n * Improved router eviction to remove idle services in a more timely manner\n * Fixed a bug where the proxy would fail to process requests with obscure\n characters in the URI\n\n## edge-19.7.1\n\n* CLI\n * Added more descriptive output to the `linkerd check` output for control\n plane ReplicaSet readiness\n * **Breaking change** Renamed `config.linkerd.io/debug` annotation to\n `config.linkerd.io/enable-debug-sidecar`, to match the\n `--enable-debug-sidecar` CLI flag that sets it\n * Fixed a bug in `linkerd edges` that caused incorrect identities to be\n displayed when requests were sent from two or more namespaces\n* Controller\n * Added the `linkerd.io/control-plane-ns` label to the SMI Traffic Split CRD\n* Proxy\n * Fixed proxied HTTP/2 connections returning 502 errors when the upstream\n connection is reset, rather than propagating the reset to the client\n * Changed the proxy to treat unexpected HTTP/2 frames as stream errors\n rather than connection errors\n\n## edge-19.6.4\n\nThis release adds support for the SMI [Traffic\nSplit](https://github.com/deislabs/smi-spec/blob/master/traffic-split.md) API.\nCreating a TrafficSplit resource will cause Linkerd to split traffic between\nthe specified backend services. Please see [the\nspec](https://github.com/deislabs/smi-spec/blob/master/traffic-split.md) for\nmore details.\n\n* CLI\n * Added a check to `install` to prevent installing multiple control planes\n into different namespaces\n * Added support for passing a URL directly to `linkerd inject` (thanks\n @Pothulapati!)\n * Added the `--all-namespaces` flag to `linkerd edges`\n* Controller\n * Added support for the SMI TrafficSplit API which allows users to define\n traffic splits in TrafficSplit custom resources\n* Web UI\n * Improved UI for Edges table in dashboard by changing column names, adding\n a \"Secured\" icon and showing an empty Edges table in the case of no\n returned edges\n\n## edge-19.6.3\n\n* CLI\n * Updated `linkerd check` to validate the caller can create\n `PodSecurityPolicy` resources\n* Controller\n * Default the mutating and validating webhook configurations `sideEffects`\n property to `None` to indicate that the webhooks have no side effects on\n other resources (thanks @Pothulapati!)\n* Proxy\n * Added the `NET_RAW` capability to the proxy-init container to be\n compatible with `PodSecurityPolicy`s that use `drop: all`\n * Fixed the proxy rejecting HTTP2 requests that don't have an `:authority`\n * Improved idle service eviction to reduce resource consumption for clients\n that send requests to many services\n* Web UI\n * Removed the \"Debug\" page from the Linkerd dashboard while the\n functionality of that page is being redesigned\n * Added an Edges table to the resource detail view that shows the source,\n destination name, and identity for proxied connections\n\n## edge-19.6.2\n\n* CLI\n * Added the `--linkerd-cni-enabled` flag to the `install` subcommands so\n that `NET_ADMIN` capability is omitted from the CNI-enabled control\n plane's PSP\n* Controller\n * Default to least-privilege security context values for the proxy container\n so that auto-inject does not fail on restricted PSPs (thanks @codeman9!)\n * Defined least privilege default security context values for the proxy\n container so that auto-injection does not fail on (thanks @codeman9!)\n * Default the webhook failure policy to `Fail` in order to account for\n unexpected errors during auto-inject; this ensures uninjected applications\n are not deployed\n * Introduced control plane's PSP and RBAC resources into Helm templates;\n these policies are only in effect if the PSP admission controller is\n enabled\n * Removed `UPDATE` operation from proxy-injector webhook because pod\n mutations are disallowed during update operations\n* Proxy\n * The `l5d-override-dst` header is now used for inbound service profile\n discovery\n * Include errors in `response_total` metrics\n * Changed the load balancer to require that Kubernetes services are resolved\n via the control plane\n* Web UI\n * Fixed dashboard behavior that caused incorrect table sorting\n\n## edge-19.6.1\n\n* CLI\n * Fixed an issue where, when Linkerd is installed with `--ha`, running\n `linkerd upgrade` without `--ha` will disable the high availability\n control plane\n * Added a `--init-image-version` flag to `linkerd inject` to override the\n injected proxy-init container version\n* Controller\n * Added multiple replicas for the `proxy-injector` and `sp-validator`\n controllers when run in high availability mode (thanks to @Pothulapati!)\n* Proxy\n * Fixed a memory leak that can occur if an HTTP/2 request with a payload\n ends before the entire payload is sent to the destination\n* Internal\n * Moved the proxy-init container to a separate `linkerd/proxy-init` Git\n repository\n\n## stable-2.3.2\n\nThis stable release fixes a memory leak in the proxy.\n\nTo install this release, run: `curl https://run.linkerd.io/install | sh`\n\n**Full release notes**:\n\n* Proxy\n * Fixed a memory leak that can occur if an HTTP/2 request with a payload\n ends before the entire payload is sent to the destination\n\n## edge-19.5.4\n\n* CLI\n * Added a JSON option to the `linkerd edges` command so that output is\n scripting friendly and can be parsed easily (thanks @alenkacz!)\n* Controller\n * **New** Control plane installations now generate a self-signed certificate\n and private key pair for each webhook, to prepare for future work to make\n the proxy injector and service profile validator HA\n * Added a debug container annotation, allowing the `--enable-debug-sidecar`\n flag to work when auto-injecting Linkerd proxies\n* Proxy\n * Changed the proxy's routing behavior so that, when the control plane does\n not resolve a destination, the proxy forwards the request with minimal\n additional routing logic\n * Fixed a bug in the proxy's HPACK codec that could cause requests with very\n large header values to hang indefinitely\n* Web UI\n * Removed the Authorities table and sidebar link from the dashboard to\n prepare for a new, improved dashboard view communicating authority data\n* Internal\n * Modified the integration test for `linkerd upgrade` to test upgrading from\n the latest stable release instead of the latest edge, to reflect the\n typical use case\n\n## stable-2.3.1\n\nThis stable release adds a number of proxy stability improvements.\n\nTo install this release, run: `curl https://run.linkerd.io/install | sh`\n\n**Special thanks to**: @zaharidichev and @11Takanori!\n\n**Full release notes**:\n\n* Proxy\n * Changed the proxy's routing behavior so that, when the control plane does\n not resolve a destination, the proxy forwards the request with minimal\n additional routing logic\n * Fixed a bug in the proxy's HPACK codec that could cause requests with very\n large header values to hang indefinitely\n * Replaced the fixed reconnect backoff with an exponential one (thanks,\n @zaharidichev!)\n * Fixed an issue where requests could be held indefinitely by the load\n balancer\n * Added a dispatch timeout that limits the amount of time a request can be\n buffered in the proxy\n * Removed the limit on the number of concurrently active service discovery\n queries to the destination service\n * Fixed an epoll notification issue that could cause excessive CPU usage\n * Added the ability to disable tap by setting an env var (thanks,\n @zaharidichev!)\n\n## edge-19.5.3\n\n* CLI\n * **New** Added a `linkerd edges` command that shows the source and\n destination name and identity for proxied connections, to assist in\n debugging\n * Tap can now be disabled for specific pods during injection by using the\n `--disable-tap` flag, or by using the `config.linkerd.io/disable-tap`\n annotation\n * Introduced pre-install healthcheck for clock skew (thanks, @matej-g!)\n* Controller\n * Added Controller Component Labels to the webhook config resources (thanks,\n @Pothulapati!)\n * Moved the tap service into its own pod\n* Proxy\n * Fix an epoll notification issue that could cause excessive CPU usage\n * Added the ability to disable tap by setting an env var (thanks,\n @zaharidichev!)\n\n## edge-19.5.2\n\n* CLI\n * Fixed `linkerd check` and `linkerd dashboard` failing when any control\n plane pod is not ready, even when multiple replicas exist (as in HA mode)\n* Controller\n * Fixed control plane components failing on startup when the Kubernetes API\n returns an `ErrGroupDiscoveryFailed`\n* Proxy\n * Added a dispatch timeout that limits the amount of time a request can be\n buffered in the proxy\n * Removed the limit on the number of concurrently active service discovery\n queries to the destination service\n\nSpecial thanks to @zaharidichev for adding end to end tests for proxies with\nTLS!\n\n## edge-19.5.1\n\n* CLI\n * Added a `linkerd check config` command for verifying that `linkerd install\n config` was successful\n * Improved the help documentation of `linkerd install` to clarify flag usage\n * Added support for private Kubernetes clusters by changing the CLI to\n connect to the control plane using a port-forward (thanks, @jackprice!)\n* Controller\n * Fixed pod creation failure when a `ResourceQuota` exists by adding a\n default resource spec for the proxy-init init container\n* Proxy\n * Replaced the fixed reconnect backoff with an exponential one (thanks,\n @zaharidichev!)\n * Fixed an issue where load balancers can become stuck\n* Internal\n * Fixed integration tests by adding known proxy-injector log warning to\n tests\n\n## edge-19.4.5\n\n### Significant Update\n\nAs of this edge release the proxy injector component is always installed. To\nhave the proxy injector inject a pod you still can manually add the\n`linkerd.io/inject: enable` annotation into the pod spec, or at the namespace\nlevel to have all your pods be injected by default. With this release the\nbehaviour of the `linkerd inject` command changes, where the proxy sidecar\ncontainer YAML is no longer included in its output by default, but instead it\nwill just add the annotations to defer the injection to the proxy injector.\nFor use cases that require the full injected YAML to be output, a new\n`--manual` flag has been added.\n\nAnother important update is the introduction of install stages. You still have\nthe old `linkerd install` command, but now it can be broken into `linkerd\ninstall config` which installs the resources that require cluster-level\nprivileges, and `linkerd install control-plane` that continues with the\nresources that only require namespace-level privileges. This also applies to\nthe `linkerd upgrade` command.\n\n* CLI\n * **Breaking Change** Removed the `--proxy-auto-inject` flag, as the proxy\n injector is now always installed\n * **Breaking Change** Replaced the `--linkerd-version` flag with the\n `--proxy-version` flag in the `linkerd install` and `linkerd upgrade`\n commands, which allows setting the version for the injected proxy sidecar\n image, without changing the image versions for the control plane\n * Introduced install stages: `linkerd install config` and `linkerd install\n control-plane`\n * Introduced upgrade stages: `linkerd upgrade config` and `linkerd upgrade\n control-plane`\n * Introduced a new `--from-manifests` flag to `linkerd upgrade` allowing\n manually feeding a previously saved output of `linkerd install` into the\n command, instead of requiring a connection to the cluster to fetch the\n config\n * Introduced a new `--manual` flag to `linkerd inject` to output the proxy\n sidecar container spec\n * Introduced a new `--enable-debug-sidecar` option to `linkerd inject`, that\n injects a debug sidecar to inspect traffic to and from the meshed pod\n * Added a new check for unschedulable pods and PSP issues (thanks,\n @liquidslr!)\n * Disabled the spinner in `linkerd check` when running without a TTY\n * Ensured the ServiceAccount for the proxy injector is created before its\n Deployment to avoid warnings when installing the proxy injector (thanks,\n @dwj300!)\n\n* Controller\n * Added Go pprof HTTP endpoints to all control plane components' admin\n servers to better assist debugging efforts\n * Fixed bug in the proxy injector, where sporadically the pod workload owner\n wasn't properly determined, which would result in erroneous stats\n * Added support for a new `config.linkerd.io/disable-identity` annotation to\n opt out of identity for a specific pod\n\n* Web UI\n * Added the Font Awesome stylesheet locally; this allows both Font Awesome\n and Material-UI sidebar icons to display consistently with no/limited\n internet access (thanks again, @liquidslr!)\n\n* Internal\n * Known container errors were hidden in the integration tests; now they are\n reported in the output, still without having the tests fail\n\n## stable-2.3.0\n\nThis stable release introduces a new TLS-based service identity system into\nthe default Linkerd installation, replacing `--tls=optional` and the\n`linkerd-ca` controller. Now, proxies generate ephemeral private keys into a\ntmpfs directory and dynamically refresh certificates, authenticated by\nKubernetes ServiceAccount tokens, and tied to ServiceAccounts as the identity\nprimitive\n\nIn this release, all meshed HTTP communication is private and authenticated by\ndefault.\n\nAmong the many improvements to the web dashboard, we've added a Community page\nto surface news and updates from linkerd.io.\n\nFor more details, see the announcement blog post:\n\n\nTo install this release, run: `curl https://run.linkerd.io/install | sh`\n\n**Upgrade notes**: The `linkerd-ca` controller has been removed in favor of\nthe `linkerd-identity` controller. If you had previously installed Linkerd\nwith `--tls=optional`, manually delete the `linkerd-ca` deployment after\nupgrading. Also, `--single-namespace` mode is no longer supported. For full\ndetails on upgrading to this release, please see the [upgrade\ninstructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-3-0).\n\n**Special thanks to**: @codeman9, @harsh-98, @huynq0911, @KatherineMelnyk,\n@liquidslr, @paranoidaditya, @Pothulapati, @TwinProduction, and @yb172!\n\n**Full release notes**:\n\n* CLI\n * Introduced an `upgrade` command! This allows an existing Linkerd control\n plane to be reinstalled or reconfigured; it is particularly useful for\n automatically reusing flags set in the previous `install` or `upgrade`\n * Introduced the `linkerd metrics` command for fetching proxy metrics\n * **Breaking Change:** The `--linkerd-cni-enabled` flag has been removed\n from the `inject` command; CNI is configured at the cluster level with the\n `install` command and no longer applies to the `inject` command\n * **Breaking Change** Removed the `--disable-external-profiles` flag from\n the `install` command; external profiles are now disabled by default and\n can be enabled with the new `--enable-external-profiles` flag\n * **Breaking change** Removed the `--api-port` flag from the `inject` and\n `install` commands, since there's no benefit to running the control\n plane's destination API on a non-default port (thanks, @paranoidaditya)\n * **Breaking change** Removed the `--tls=optional` flag from the `linkerd\n install` command, since TLS is now enabled by default\n * Changed `install` to accept or generate an issuer Secret for the Identity\n controller\n * Changed `install` to fail in the case of a conflict with an existing\n installation; this can be disabled with the `--ignore-cluster` flag\n * Added the ability to adjust the Prometheus log level via\n `--controller-log-level`\n * Implemented `--proxy-cpu-limit` and `--proxy-memory-limit` for setting the\n proxy resources limits (`--proxy-cpu` and `--proxy-memory` were deprecated\n in favor of `proxy-cpu-request` and `proxy-memory-request`) (thanks\n @TwinProduction!)\n * Added a validator for the `--proxy-log-level` flag\n * Updated the `inject` and `uninject` subcommands to issue warnings when\n resources lack a `Kind` property (thanks @Pothulapati!)\n * The `inject` command proxy options are now converted into config\n annotations; the annotations ensure that these configs are persisted in\n subsequent resource updates\n * Changed `inject` to require fetching a configuration from the control\n plane; this can be disabled with the `--ignore-cluster` and\n `--disable-identity` flags, though this will prevent the injected pods\n from participating in mesh identity\n * Included kubectl version check as part of `linkerd check` (thanks @yb172!)\n * Updated `linkerd check` to ensure hint URLs are displayed for RPC checks\n * Fixed sporadic (and harmless) race condition error in `linkerd check`\n * Introduced a check for NET_ADMIN in `linkerd check`\n * Fixed permissions check for CRDs\n * Updated the `linkerd dashboard` command to serve the dashboard on a fixed\n port, allowing it to leverage browser local storage for user settings\n * Updated the `linkerd routes` command to display rows for routes that are\n not receiving any traffic\n * Added TCP stats to the stat command, under the `-o wide` and `-o json`\n flags\n * The `stat` command now always shows the number of open TCP connections\n * Removed TLS metrics from the `stat` command; this is in preparation for\n surfacing identity metrics in a clearer way\n * Exposed the `install-cni` command and its flags, and tweaked their\n descriptions\n * Eliminated false-positive vulnerability warnings related to go.uuid\n* Controller\n * Added a new public API endpoint for fetching control plane configuration\n * **Breaking change** Removed support for running the control plane in\n single-namespace mode, which was severely limited in the number of\n features it supported due to not having access to cluster-wide resources;\n the end goal being Linkerd degrading gracefully depending on its\n privileges\n * Updated automatic proxy injection and CLI injection to support overriding\n inject defaults via pod spec annotations\n * Added support for the `config.linkerd.io/proxy-version` annotation on pod\n specs; this will override the injected proxy version\n * The auto-inject admission controller webhook is updated to watch pods\n creation and update events; with this change, proxy auto-injection now\n works for all kinds of workloads, including StatefulSets, DaemonSets,\n Jobs, etc\n * Service profile validation is now performed via a webhook endpoint; this\n prevents Kubernetes from accepting invalid service profiles\n * Changed the default CPU request from `10m` to `100m` for HA deployments;\n this will help some intermittent liveness/readiness probes from failing\n due to tight resource constraints\n * Updated destination service to return TLS identities only when the\n destination pod is TLS-aware and is in the same controller namespace\n * Lessen klog level to improve security\n * Updated control plane components to query Kubernetes at startup to\n determine authorized namespaces and if ServiceProfile support is available\n * Modified the stats payload to include the following TCP stats:\n `tcp_open_connections`, `tcp_read_bytes_total`, `tcp_write_bytes_total`\n * Instrumented clients in the control plane connecting to Kubernetes, thus\n providing better visibility for diagnosing potential problems with those\n connections\n * Renamed the \"linkerd-proxy-api\" service to \"linkerd-destination\"\n * Bumped Prometheus to version 2.7.1 and Grafana to version 5.4.3\n* Proxy\n * Introduced per-proxy private key generation and dynamic certificate\n renewal\n * **Fixed** a connection starvation issue where TLS discovery detection on\n slow or idle connections could block all other connections from being\n accepted on the inbound listener of the proxy\n * **Fixed** a stream leak between the proxy and the control plane that could\n cause the `linkerd-controller` pod to use an excessive amount of memory\n * Added a readiness check endpoint on `:4191/ready` so that Kubernetes\n doesn't consider pods ready until they have acquired a certificate from\n the Identity controller\n * Some `l5d-*` informational headers have been temporarily removed from\n requests and responses because they could leak information to external\n clients\n * The proxy's connect timeouts have been updated, especially to improve\n reconnect behavior between the proxy and the control plane\n * Increased the inbound/router cap on MAX_CONCURRENT_STREAMS\n * The `l5d-remote-ip` header is now set on inbound requests and outbound\n responses\n * Fixed issue with proxy falling back to filesystem polling due to\n improperly sized inotify buffer\n* Web UI\n * **New** Added a Community page to surface news and updates from linkerd.io\n * Added a Debug page to the web dashboard, allowing you to introspect\n service discovery state\n * The Overview page in the Linkerd dashboard now renders appropriately when\n viewed on mobile devices\n * Added filter functionality to the metrics tables\n * Added stable sorting for table rows\n * Added TCP stats to the Linkerd Pod Grafana dashboard\n * Added TCP stat tables on the namespace landing page and resource detail\n page\n * The topology graph now shows TCP stats if no HTTP stats are available\n * Improved table display on the resource detail page for resources with\n TCP-only traffic\n * Updated the resource detail page to start displaying a table with TCP\n stats\n * Modified the Grafana variable queries to use a TCP-based metric, so that\n if there is only TCP traffic then the dropdowns don't end up empty\n * Fixed sidebar not updating when resources were added/deleted (thanks\n @liquidslr!)\n * Added validation to the \"new service profile\" form (thanks @liquidslr!)\n * Added a Grafana dashboard and web tables for displaying Job stats (thanks,\n @Pothulapati!)\n * Removed TLS columns from the dashboard tables; this is in preparation for\n surfacing identity metrics in a clearer way\n * Fixed the behavior of the Top query 'Start' button if a user's query\n returns no data\n * Fixed an issue with the order of tables returned from a Top Routes query\n * Added text wrap for paths in the modal for expanded Tap query data\n * Fixed a quoting issue with service profile downloads (thanks, @liquidslr!)\n * Updated sorting of route table to move default routes to the bottom\n * Removed 'Help' hierarchy and surfaced links on navigation sidebar\n * Ensured that all the tooltips in Grafana displaying the series are shared\n across all the graphs\n* Internals\n * Improved the `bin/go-run` script for the build process so that on failure,\n all associated background processes are terminated\n * Added more log errors to the integration tests\n * Removed the GOPATH dependence from the CLI dev environment\n * Consolidated injection code from CLI and admission controller code paths\n * Enabled the following linters: `unparam`, `unconvert`, `goimports`,\n `goconst`, `scopelint`, `unused`, `gosimple`\n * Bumped base Docker images\n * Added the flags `-update` and `-pretty-diff` to tests to allow overwriting\n fixtures and to print the full text of the fixtures upon mismatches\n * Introduced golangci-lint tooling, using `.golangci.yml` to centralize the\n config\n * Added a `-cover` parameter to track code coverage in go tests (more info\n in TEST.md)\n * Renamed a function in a test that was shadowing a go built-in function\n (thanks @huynq0911!)\n\n## edge-19.4.4\n\n* Proxy\n * **Fixed** a connection starvation issue where TLS discovery detection on\n slow or idle connections could block all other connections from being\n accepted on the inbound listener of the proxy\n* CLI\n * **Fixed** `inject` to allow the `--disable-identity` flag to be used\n without having to specify the `--ignore-cluster` flag\n* Web UI\n * The Overview page in the Linkerd dashboard now renders appropriately when\n viewed on mobile devices\n\n## edge-19.4.3\n\n* CLI\n * **Fixed** `linkerd upgrade` command not upgrading proxy containers (thanks\n @jon-walton for the issue report!)\n * **Fixed** `linkerd upgrade` command not installing the identity service\n when it was not already installed\n * Eliminate false-positive vulnerability warnings related to go.uuid\n\nSpecial thanks to @KatherineMelnyk for updating the web component to read the\nUUID from the `linkerd-config` ConfigMap!\n\n## edge-19.4.2\n\n* CLI\n * Removed TLS metrics from the `stat` command; this is in preparation for\n surfacing identity metrics in a clearer way\n * The `upgrade` command now outputs a URL that explains next steps for\n upgrading\n * **Breaking Change:** The `--linkerd-cni-enabled` flag has been removed\n from the `inject` command; CNI is configured at the cluster level with the\n `install` command and no longer applies to the `inject` command\n* Controller\n * Service profile validation is now performed via a webhook endpoint; this\n prevents Kubernetes from accepting invalid service profiles\n * Added support for the `config.linkerd.io/proxy-version` annotation on pod\n specs; this will override the injected proxy version\n * Changed the default CPU request from `10m` to `100m` for HA deployments;\n this will help some intermittent liveness/readiness probes from failing\n due to tight resource constraints\n* Proxy\n * The `CommonName` field on CSRs is now set to the proxy's identity name\n* Web UI\n * Removed TLS columns from the dashboard tables; this is in preparation for\n surfacing identity metrics in a clearer way\n\n## edge-19.4.1\n\n* CLI\n * Introduced an `upgrade` command! This allows an existing Linkerd control\n plane to be reinstalled or reconfigured; it is particularly useful for\n automatically reusing flags set in the previous `install` or `upgrade`\n * The `inject` command proxy options are now converted into config\n annotations; the annotations ensure that these configs are persisted in\n subsequent resource updates\n * The `stat` command now always shows the number of open TCP connections\n * **Breaking Change** Removed the `--disable-external-profiles` flag from\n the `install` command; external profiles are now disabled by default and\n can be enabled with the new `--enable-external-profiles` flag\n* Controller\n * The auto-inject admission controller webhook is updated to watch pods\n creation and update events; with this change, proxy auto-injection now\n works for all kinds of workloads, including StatefulSets, DaemonSets,\n Jobs, etc\n* Proxy\n * Some `l5d-*` informational headers have been temporarily removed from\n requests and responses because they could leak information to external\n clients\n* Web UI\n * The topology graph now shows TCP stats if no HTTP stats are available\n * Improved table display on the resource detail page for resources with\n TCP-only traffic\n * Added validation to the \"new service profile\" form (thanks @liquidslr!)\n\n## edge-19.3.3\n\n### Significant Update\n\nThis edge release introduces a new TLS Identity system into the default\nLinkerd installation, replacing `--tls=optional` and the `linkerd-ca`\ncontroller. Now, proxies generate ephemeral private keys into a tmpfs\ndirectory and dynamically refresh certificates, authenticated by Kubernetes\nServiceAccount tokens, via the newly-introduced Identity controller.\n\nNow, all meshed HTTP communication is private and authenticated by default.\n\n* CLI\n * Changed `install` to accept or generate an issuer Secret for the Identity\n controller\n * Changed `install` to fail in the case of a conflict with an existing\n installation; this can be disabled with the `--ignore-cluster` flag\n * Changed `inject` to require fetching a configuration from the control\n plane; this can be disabled with the `--ignore-cluster` and\n `--disable-identity` flags, though this will prevent the injected pods\n from participating in mesh identity\n * **Breaking change** Removed the `--tls=optional` flag from the `linkerd\n install` command, since TLS is now enabled by default\n * Added the ability to adjust the Prometheus log level\n* Proxy\n * **Fixed** a stream leak between the proxy and the control plane that could\n cause the `linkerd-controller` pod to use an excessive amount of memory\n * Introduced per-proxy private key generation and dynamic certificate\n renewal\n * Added a readiness check endpoint on `:4191/ready` so that Kubernetes\n doesn't consider pods ready until they have acquired a certificate from\n the Identity controller\n * The proxy's connect timeouts have been updated, especially to improve\n reconnect behavior between the proxy and the control plane\n* Web UI\n * Added TCP stats to the Linkerd Pod Grafana dashboard\n * Fixed the behavior of the Top query 'Start' button if a user's query\n returns no data\n * Added stable sorting for table rows\n * Fixed an issue with the order of tables returned from a Top Routes query\n * Added text wrap for paths in the modal for expanded Tap query data\n* Internal\n * Improved the `bin/go-run` script for the build process so that on failure,\n all associated background processes are terminated\n\nSpecial thanks to @liquidslr for many useful UI and log changes, and to\n@mmalone and @sourishkrout at @smallstep for collaboration and advice on the\nIdentity system!\n\n## edge-19.3.2\n\n* Controller\n * **Breaking change** Removed support for running the control plane in\n single-namespace mode, which was severely limited in the number of\n features it supported due to not having access to cluster-wide resources\n * Updated automatic proxy injection and CLI injection to support overriding\n inject defaults via pod spec annotations\n * Added a new public API endpoint for fetching control plane configuration\n* CLI\n * **Breaking change** Removed the `--api-port` flag from the `inject` and\n `install` commands, since there's no benefit to running the control\n plane's destination API on a non-default port (thanks, @paranoidaditya)\n * Introduced the `linkerd metrics` command for fetching proxy metrics\n * Updated the `linkerd routes` command to display rows for routes that are\n not receiving any traffic\n * Updated the `linkerd dashboard` command to serve the dashboard on a fixed\n port, allowing it to leverage browser local storage for user settings\n* Web UI\n * **New** Added a Community page to surface news and updates from linkerd.io\n * Fixed a quoting issue with service profile downloads (thanks, @liquidslr!)\n * Added a Grafana dashboard and web tables for displaying Job stats (thanks,\n @Pothulapati!)\n * Updated sorting of route table to move default routes to the bottom\n * Added TCP stat tables on the namespace landing page and resource detail\n page\n\n## edge-19.3.1\n\n* CLI\n * Introduced a check for NET_ADMIN in `linkerd check`\n * Fixed permissions check for CRDs\n * Included kubectl version check as part of `linkerd check` (thanks @yb172!)\n * Added TCP stats to the stat command, under the `-o wide` and `-o json`\n flags\n* Controller\n * Updated the `mutatingwebhookconfiguration` so that it is recreated when\n the proxy injector is restarted, so that the MWC always picks up the\n latest config template during version upgrade\n* Proxy\n * Increased the inbound/router cap on MAX_CONCURRENT_STREAMS\n * The `l5d-remote-ip` header is now set on inbound requests and outbound\n responses\n* Web UI\n * Fixed sidebar not updating when resources were added/deleted (thanks\n @liquidslr!)\n * Added filter functionality to the metrics tables\n* Internal\n * Added more log errors to the integration tests\n * Removed the GOPATH dependence from the CLI dev environment\n * Consolidated injection code from CLI and admission controller code paths\n\n## edge-19.2.5\n\n* CLI\n * Updated `linkerd check` to ensure hint URLs are displayed for RPC checks\n* Controller\n * Updated the auto-inject admission controller webhook to respond to UPDATE\n events for deployment workloads\n * Updated destination service to return TLS identities only when the\n destination pod is TLS-aware and is in the same controller namespace\n * Lessen klog level to improve security\n * Updated control plane components to query Kubernetes at startup to\n determine authorized namespaces and if ServiceProfile support is available\n * Modified the stats payload to include the following TCP stats:\n `tcp_open_connections`, `tcp_read_bytes_total`, `tcp_write_bytes_total`\n* Proxy\n * Fixed issue with proxy falling back to filesystem polling due to\n improperly sized inotify buffer\n* Web UI\n * Removed 'Help' hierarchy and surfaced links on navigation sidebar\n * Added a Debug page to the web dashboard, allowing you to introspect\n service discovery state\n * Updated the resource detail page to start displaying a table with TCP\n stats\n* Internal\n * Enabled the following linters: `unparam`, `unconvert`, `goimports`,\n `goconst`, `scopelint`, `unused`, `gosimple`\n * Bumped base Docker images\n\n## stable-2.2.1\n\nThis stable release polishes some of the CLI help text and fixes two issues\nthat came up since the stable-2.2.0 release.\n\nTo install this release, run: `curl https://run.linkerd.io/install | sh`\n\n**Full release notes**:\n\n* CLI\n * Fixed handling of kubeconfig server urls that include paths\n * Updated the description of the `--proxy-auto-inject` flag to indicate that\n it is no longer experimental\n * Updated the `profile` help text to match the other commands\n * Added the \"ep\" alias for the `endpoints` command\n* Controller\n * Stopped logging an error when a route doesn't specify a timeout\n\n## edge-19-2.4\n\n* CLI\n * Implemented `--proxy-cpu-limit` and `--proxy-memory-limit` for setting the\n proxy resources limits (`--proxy-cpu` and `--proxy-memory` were deprecated\n in favor of `proxy-cpu-request` and `proxy-memory-request`) (thanks\n @TwinProduction!)\n * Updated the `inject` and `uninject` subcommands to issue warnings when\n resources lack a `Kind` property (thanks @Pothulapati!)\n * Exposed the `install-cni` command and its flags, and tweaked their\n descriptions\n * Fixed handling of kubeconfig server urls that include paths\n * Updated the description of the `--proxy-auto-inject` flag to indicate that\n it is no longer experimental\n * Updated the `profile` help text to match the other commands\n * Added the \"ep\" alias for the `endpoints` command (also @Pothulapati!)\n * Added a validator for the `--proxy-log-level` flag\n * Fixed sporadic (and harmless) race condition error in `linkerd check`\n* Controller\n * Instrumented clients in the control plane connecting to Kubernetes, thus\n providing better visibility for diagnosing potential problems with those\n connections\n * Stopped logging an error when a route doesn't specify a timeout\n * Renamed the \"linkerd-proxy-api\" service to \"linkerd-destination\"\n * Bumped Prometheus to version 2.7.1 and Grafana to version 5.4.3\n* Web UI\n * Modified the Grafana variable queries to use a TCP-based metric, so that\n if there is only TCP traffic then the dropdowns don't end up empty\n * Ensured that all the tooltips in Grafana displaying the series are shared\n across all the graphs\n* Internals\n * Added the flags `-update` and `-pretty-diff` to tests to allow overwriting\n fixtures and to print the full text of the fixtures upon mismatches\n * Introduced golangci-lint tooling, using `.golangci.yml` to centralize the\n config\n * Added a `-cover` parameter to track code coverage in go tests (more info\n in TEST.md)\n * Added integration tests for `--single-namespace`\n * Renamed a function in a test that was shadowing a go built-in function\n (thanks @huynq0911!)\n\n## stable-2.2.0\n\nThis stable release introduces automatic request retries and timeouts, and\ngraduates auto-inject to be a fully-supported (non-experimental) feature. It\nadds several new CLI commands, including `logs` and `endpoints`, that provide\ndiagnostic visibility into Linkerd's control plane. Finally, it introduces two\nexciting experimental features: a cryptographically-secured client identity\nheader, and a CNI plugin that avoids the need for `NET_ADMIN` kernel\ncapabilities at deploy time.\n\nFor more details, see the announcement blog post:\n\n\nTo install this release, run: `curl https://run.linkerd.io/install | sh`\n\n**Upgrade notes**: The default behavior for proxy auto injection and service\nprofile ownership has changed as part of this release. Please see the [upgrade\ninstructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-2-0)\nfor more details.\n\n**Special thanks to**: @alenkacz, @codeman9, @jonrichards, @radu-matei,\n@yeya24, and @zknill\n\n**Full release notes**:\n\n* CLI\n * Improved service profile validation when running `linkerd check` in order\n to validate service profiles in all namespaces\n * Added the `linkerd endpoints` command to introspect Linkerd's service\n discovery state\n * Added the `--tap` flag to `linkerd profile` to generate service profiles\n using the route results seen during the tap\n * Added support for the `linkerd.io/inject: disabled` annotation on pod\n specs to disable injection for specific pods when running `linkerd inject`\n * Added support for `basePath` in OpenAPI 2.0 files when running `linkerd\n profile --open-api`\n * Increased `linkerd check` client timeout from 5 seconds to 30 seconds to\n fix issues for clusters with slow API servers\n * Updated `linkerd routes` to no longer return rows for `ExternalName`\n services in the namespace\n * Broadened the set of valid URLs when connecting to the Kubernetes API\n * Added the `--proto` flag to `linkerd profile` to output a service profile\n based on a Protobuf spec file\n * Fixed CLI connection failures to clusters that use self-signed\n certificates\n * Simplified `linkerd install` so that setting up proxy auto-injection (flag\n `--proxy-auto-inject`) no longer requires enabling TLS (flag `--tls`)\n * Added links for each `linkerd check` failure, pointing to a relevant\n section in our new FAQ page with resolution steps for each case\n * Added optional `linkerd install-sp` command to generate service profiles\n for the control plane, providing per-route metrics for control plane\n components\n * Removed `--proxy-bind-timeout` flag from `linkerd install` and `linkerd\n inject`, as the proxy no longer accepts this environment variable\n * Improved CLI appearance on Windows systems\n * Improved `linkerd check` output, fixed bug with `--single-namespace`\n * Fixed panic when `linkerd routes` is called in single-namespace mode\n * Added `linkerd logs` command to surface logs from any container in the\n Linkerd control plane\n * Added `linkerd uninject` command to remove the Linkerd proxy from a\n Kubernetes config\n * Improved `linkerd inject` to re-inject a resource that already has a\n Linkerd proxy\n * Improved `linkerd routes` to list all routes, including those without\n traffic\n * Improved readability in `linkerd check` and `linkerd inject` outputs\n * Adjusted the set of checks that are run before executing CLI commands,\n which allows the CLI to be invoked even when the control plane is not\n fully ready\n * Fixed reporting of injected resources when the `linkerd inject` command is\n run on `List` type resources with multiple items\n * Updated the `linkerd dashboard` command to use port-forwarding instead of\n proxying when connecting to the web UI and Grafana\n * Added validation for the `ServiceProfile` CRD\n * Updated the `linkerd check` command to disallow setting both the `--pre`\n and `--proxy` flags simultaneously\n * Added `--routes` flag to the `linkerd top` command, for grouping table\n rows by route instead of by path\n * Updated Prometheus configuration to automatically load `*_rules.yml` files\n * Removed TLS column from the `linkerd routes` command output\n * Updated `linkerd install` output to use non-default service accounts,\n `emptyDir` volume mounts, and non-root users\n * Removed cluster-wide resources from single-namespace installs\n * Fixed resource requests for proxy-injector container in `--ha` installs\n* Controller\n * Fixed issue with auto-injector not setting the proxy ID, which is required\n to successfully locate client service profiles\n * Added full stat and tap support for DaemonSets and StatefulSets in the\n CLI, Grafana, and web UI\n * Updated auto-injector to use the proxy log level configured at install\n time\n * Fixed issue with auto-injector including TLS settings in injected pods\n even when TLS was not enabled\n * Changed automatic proxy injection to be opt-in via the `linkerd.io/inject`\n annotation on the pod or namespace\n * Move service profile definitions to client and server namespaces, rather\n than the control plane namespace\n * Added `linkerd.io/created-by` annotation to the linkerd-cni DaemonSet\n * Added a 10 second keepalive default to resolve dropped connections in\n Azure environments\n * Improved node selection for installing the linkerd-cni DaemonSet\n * Corrected the expected controller identity when configuring pods with TLS\n * Modified klog to be verbose when controller log-level is set to `debug`\n * Added support for retries and timeouts, configured directly in the service\n profile for each route\n * Added an experimental CNI plugin to avoid requiring the NET_ADMIN\n capability when injecting proxies\n * Improved the API for `ListPods`\n * Fixed `GetProfiles` API call not returning immediately when no profile\n exists (resulting in proxies logging warnings)\n * Blocked controller initialization until caches have synced with kube API\n * Fixed proxy-api handling of named target ports in service configs\n * Added parameter to stats API to skip retrieving prometheus stats\n* Web UI\n * Updated navigation to link the Linkerd logo back to the Overview page\n * Fixed console warnings on the Top page\n * Grayed-out the tap icon for requests from sources that are not meshed\n * Improved resource detail pages to show all resource types\n * Fixed stats not appearing for routes that have service profiles installed\n * Added \"meshed\" and \"no traffic\" badges on the resource detail pages\n * Fixed `linkerd dashboard` to maintain proxy connection when browser open\n fails\n * Fixed JavaScript bundling to avoid serving old versions after upgrade\n * Reduced the size of the webpack JavaScript bundle by nearly 50%\n * Fixed an indexing error on the top results page\n * Restored unmeshed resources in the network graph on the resource detail\n page\n * Adjusted label for unknown routes in route tables, added tooltip\n * Updated Top Routes page to persist form settings in URL\n * Added button to create new service profiles on Top Routes page\n * Fixed CLI commands displayed when linkerd is running in non-default\n namespace\n* Proxy\n * Modified the way in which canonicalization warnings are logged to reduce\n the overall volume of error logs and make it clearer when failures occur\n * Added TCP keepalive configuration to fix environments where peers may\n silently drop connections\n * Updated the `Get` and `GetProfiles` APIs to accept a `proxy_id` parameter\n in order to return more tailored results\n * Removed TLS fallback-to-plaintext if handshake fails\n * Added the ability to override a proxy's normal outbound routing by adding\n an `l5d-override-dst` header\n * Added `LINKERD2_PROXY_DNS_CANONICALIZE_TIMEOUT` environment variable to\n customize the timeout for DNS queries to canonicalize a name\n * Added support for route timeouts in service profiles\n * Improved logging for gRPC errors and for malformed HTTP/2 request headers\n * Improved log readability by moving some noisy log messages to more verbose\n log levels\n * Fixed a deadlock in HTTP/2 stream reference counts\n * Updated the proxy-init container to exit with a non-zero exit code if\n initialization fails, making initialization errors much more visible\n * Fixed a memory leak due to leaked UDP sockets for failed DNS queries\n * Improved configuration of the PeakEwma load balancer\n * Improved handling of ports configured to skip protocol detection when the\n proxy is running with TLS enabled\n\n## edge-19.2.3\n\n* Controller\n * Fixed issue with auto-injector not setting the proxy ID, which is required\n to successfully locate client service profiles\n* Web UI\n * Updated navigation to link the Linkerd logo back to the Overview page\n * Fixed console warnings on the Top page\n\n## edge-19.2.2\n\n* CLI\n * Improved service profile validation when running `linkerd check` in order\n to validate service profiles in all namespaces\n* Controller\n * Added stat and tap support for StatefulSets in the CLI, Grafana, and web\n UI\n * Updated auto-injector to use the proxy log level configured at install\n time\n * Fixed issue with auto-injector including TLS settings in injected pods\n even when TLS was not enabled\n* Proxy\n * Modified the way in which canonicalization warnings are logged to reduce\n the overall volume of error logs and make it clearer when failures occur\n\n## edge-19.2.1\n\n* Controller\n * **Breaking change** Changed automatic proxy injection to be opt-in via the\n `linkerd.io/inject` annotation on the pod or namespace. More info:\n \n * **Breaking change** `ServiceProfile`s are now defined in client and server\n namespaces, rather than the control plane namespace. `ServiceProfile`s\n defined in the client namespace take priority over ones defined in the\n server namespace\n * Added `linkerd.io/created-by` annotation to the linkerd-cni DaemonSet\n (thanks @codeman9!)\n * Added a 10 second keepalive default to resolve dropped connections in\n Azure environments\n * Improved node selection for installing the linkerd-cni DaemonSet (thanks\n @codeman9!)\n * Corrected the expected controller identity when configuring pods with TLS\n * Modified klog to be verbose when controller log-level is set to `Debug`\n* CLI\n * Added the `linkerd endpoints` command to introspect Linkerd's service\n discovery state\n * Added the `--tap` flag to `linkerd profile` to generate a `ServiceProfile`\n by using the route results seen during the tap\n * Added support for the `linkerd.io/inject: disabled` annotation on pod\n specs to disable injection for specific pods when running `linkerd inject`\n * Added support for `basePath` in OpenAPI 2.0 files when running `linkerd\n profile --open-api`\n * Increased `linkerd check` client timeout from 5 seconds to 30 seconds to\n fix issues for clusters with a slower API server\n * `linkerd routes` will no longer return rows for `ExternalName` services in\n the namespace\n * Broadened set of valid URLs when connecting to the Kubernetes API\n * Improved `ServiceProfile` field validation in `linkerd check`\n* Proxy\n * Added TCP keepalive configuration to fix environments where peers may\n silently drop connections\n * The `Get` and `GetProfiles` API now accept a `proxy_id` parameter in order\n to return more tailored results\n * Removed TLS fallback-to-plaintext if handshake fails\n\n## edge-19.1.4\n\n* Controller\n * Added support for timeouts! Configurable in the service profiles for each\n route\n * Added an experimental CNI plugin to avoid requiring the NET_ADMIN\n capability when injecting proxies (more details at\n (thanks @codeman9!)\n * Added more improvements to the API for `ListPods` (thanks @alenkacz!)\n* Web UI\n * Grayed-out the tap icon for requests from sources that are not meshed\n* CLI\n * Added the `--proto` flag to `linkerd profile` to output a service profile\n based on a Protobuf spec file\n * Fixed CLI connection failure to clusters that use self-signed certificates\n * Simplified `linkerd install` so that setting up proxy auto-injection (flag\n `--proxy-auto-inject`) no longer requires enabling TLS (flag `--tls`)\n * Added links for each `linkerd check` failure, pointing to a relevant\n section in our new FAQ page with resolution steps for each case\n\n## edge-19.1.3\n\n* Controller\n * Improved API for `ListPods` (thanks @alenkacz!)\n * Fixed `GetProfiles` API call not returning immediately when no profile\n exists (resulting in proxies logging warnings)\n* Web UI\n * Improved resource detail pages now show all resource types\n * Fixed stats not appearing for routes that have service profiles installed\n* CLI\n * Added optional `linkerd install-sp` command to generate service profiles\n for the control plane, providing per-route metrics for control plane\n components\n * Removed `--proxy-bind-timeout` flag from `linkerd install` and `linkerd\n inject` commands, as the proxy no longer accepts this environment variable\n * Improved CLI appearance on Windows systems\n * Improved `linkerd check` output, fixed check bug when using\n `--single-namespace` (thanks to @djeeg for the bug report!)\n * Improved `linkerd stat` now supports DaemonSets (thanks @zknill!)\n * Fixed panic when `linkerd routes` is called in single-namespace mode\n* Proxy\n * Added the ability to override a proxy's normal outbound routing by adding\n an `l5d-override-dst` header\n * Added `LINKERD2_PROXY_DNS_CANONICALIZE_TIMEOUT` environment variable to\n customize the timeout for DNS queries to canonicalize a name\n * Added support for route timeouts in service profiles\n * Improved logging for gRPC errors and for malformed HTTP/2 request headers\n * Improved log readability by moving some noisy log messages to more verbose\n log levels\n\n## edge-19.1.2\n\n* Controller\n * Retry support! Introduce an `isRetryable` property to service profiles to\n enable configuring retries on a per-route basis\n* Web UI\n * Add \"meshed\" and \"no traffic\" badges on the resource detail pages\n * Fix `linkerd dashboard` to maintain proxy connection when browser open\n fails\n * Fix JavaScript bundling to avoid serving old versions after upgrade\n* CLI\n * Add `linkerd logs` command to surface logs from any container in the\n Linkerd control plane (shout out to\n [Stern](https://github.com/wercker/stern)!)\n * Add `linkerd uninject` command to remove the Linkerd proxy from a\n Kubernetes config\n * Improve `linkerd inject` to re-inject a resource that already has a\n Linkerd proxy\n * Improve `linkerd routes` to list all routes, including those without\n traffic\n * Improve readability in `linkerd check` and `linkerd inject` outputs\n* Proxy\n * Fix a deadlock in HTTP/2 stream reference counts\n\n## edge-19.1.1\n\n* CLI\n * Adjust the set of checks that are run before executing CLI commands, which\n allows the CLI to be invoked even when the control plane is not fully\n ready\n * Fix reporting of injected resources when the `linkerd inject` command is\n run on `List` type resources with multiple items\n * Update the `linkerd dashboard` command to use port-forwarding instead of\n proxying when connecting to the web UI and Grafana\n * Add validation for the `ServiceProfile` CRD (thanks, @alenkacz!)\n * Update the `linkerd check` command to disallow setting both the `--pre`\n and `--proxy` flags simultaneously (thanks again, @alenkacz!)\n* Web UI\n * Reduce the size of the webpack JavaScript bundle by nearly 50%!\n * Fix an indexing error on the top results page\n* Proxy\n * **Fixed** The proxy-init container now exits with a non-zero exit code if\n initialization fails, making initialization errors much more visible\n * **Fixed** The proxy previously leaked UDP sockets for failed DNS queries,\n causing a memory leak; this has been fixed\n\n## edge-18.12.4\n\nUpgrade notes: The control plane components have been renamed as of the\nedge-18.12.1 release to reduce possible naming collisions. To upgrade an older\ninstallation, see the [Upgrade Guide](https://linkerd.io/2/upgrade/).\n\n* CLI\n * Add `--routes` flag to the `linkerd top` command, for grouping table rows\n by route instead of by path\n * Update Prometheus configuration to automatically load `*_rules.yml` files\n * Remove TLS column from the `linkerd routes` command output\n* Web UI\n * Restore unmeshed resources in the network graph on the resource detail\n page\n * Reduce the overall size of the asset bundle for the web frontend\n* Proxy\n * Improve configuration of the PeakEwma load balancer\n\nSpecial thanks to @radu-matei for cleaning up a whole slew of Go lint\nwarnings, and to @jonrichards for improving the Rust build setup!\n\n## edge-18.12.3\n\nUpgrade notes: The control plane components have been renamed as of the\nedge-18.12.1 release to reduce possible naming collisions. To upgrade an older\ninstallation, see the [Upgrade Guide](https://linkerd.io/2/upgrade/).\n\n* CLI\n * Multiple improvements to the `linkerd install` config (thanks @codeman9!)\n * Use non-default service accounts for grafana and web deployments\n * Use `emptyDir` volume mount for prometheus and grafana pods\n * Set security context on control plane components to not run as root\n * Remove cluster-wide resources from single-namespace installs\n * Disable service profiles in single-namespace mode\n * Require that namespace already exist for single-namespace installs\n * Fix resource requests for proxy-injector container in `--ha` installs\n* Controller\n * Block controller initialization until caches have synced with kube API\n * Fix proxy-api handling of named target ports in service configs\n * Add parameter to stats API to skip retrieving prometheus stats (thanks,\n @alpeb!)\n* Web UI\n * Adjust label for unknown routes in route tables, add tooltip\n * Update Top Routes page to persist form settings in URL\n * Add button to create new service profiles on Top Routes page\n * Fix CLI commands displayed when linkerd is running in non-default\n namespace\n* Proxy\n * Proxies with TLS enabled now honor ports configured to skip protocol\n detection\n\n## stable-2.1.0\n\nThis stable release introduces several major improvements, including per-route\nmetrics, service profiles, and a vastly improved dashboard UI. It also adds\nseveral significant experimental features, including proxy auto-injection,\nsingle namespace installs, and a high-availability mode for the control plane.\n\nFor more details, see the announcement blog post:\n\n\nTo install this release, run: `curl https://run.linkerd.io/install | sh`\n\n**Upgrade notes**: The control plane components have been renamed in this\nrelease to reduce possible naming collisions. Please make sure to read the\n[upgrade\ninstructions](https://linkerd.io/2/upgrade/#upgrade-notice-stable-2-1-0) if\nyou are upgrading from the `stable-2.0.0` release.\n\n**Special thanks to**: @alenkacz, @alpeb, @benjdlambert, @fahrradflucht,\n@ffd2subroutine, @hypnoglow, @ihcsim, @lucab, and @rochacon\n\n**Full release notes**:\n\n* CLI\n * `linkerd routes` command displays per-route stats for _any resource_\n * Service profiles are now supported for external authorities\n * `linkerd routes --open-api` flag generates a service profile based on an\n OpenAPI specification (swagger) file\n * `linkerd routes` command displays per-route stats for services with\n service profiles\n * Add `--ha` flag to `linkerd install` command, for HA deployment of the\n control plane\n * Update stat command to accept multiple stat targets\n * Fix authority stat filtering when the `--from` flag is present\n * Various improvements to check command, including:\n * Emit warnings instead of errors when not running the latest version\n * Add retries if control plane health check fails initially\n * Run all pre-install RBAC checks, instead of stopping at first failure\n * Fixed an issue with the `--registry` install flag not accepting hosts with\n ports\n * Added an `--output` stat flag, for printing stats as JSON\n * Updated the `top` table to set column widths dynamically\n * Added a `--single-namespace` install flag for installing the control plane\n with Role permissions instead of ClusterRole permissions\n * Added a `--proxy-auto-inject` flag to the `install` command, allowing for\n auto-injection of sidecar containers\n * Added `--proxy-cpu` and `--proxy-memory` flags to the `install` and\n `inject` commands, giving the ability to configure CPU + Memory requests\n * Added a `--context` flag to specify the context to use to talk to the\n Kubernetes apiserver\n * The namespace in which Linkerd is installed is configurable via the\n `LINKERD_NAMESPACE` env var, in addition to the `--linkerd-namespace` flag\n * The wait time for the `check` and `dashboard` commands is configurable via\n the `--wait` flag\n * The `top` command now aggregates by HTTP method as well\n* Controller\n * Rename snake case fields to camel case in service profile spec\n * Controller components are now prefixed with `linkerd-` to prevent name\n collisions with existing resources\n * `linkerd install --disable-h2-upgrade` flag has been added to control\n automatic HTTP/2 upgrading\n * Fix auto injection issue on Kubernetes `v1.9.11` that would merge, rather\n than append, the proxy container into the application\n * Fixed a few issues with auto injection via the proxy-injector webhook:\n * Injected pods now execute the linkerd-init container last, to avoid\n rerouting requests during pod init\n * Original pod labels and annotations are preserved when auto-injecting\n * CLI health check now uses unified endpoint for data plane checks\n * Include Licence files in all Docker images\n* Proxy\n * The proxy's `tap` subsystem has been reimplemented to be more efficient\n and and reliable\n * The proxy now supports route metadata in tap queries and events\n * A potential HTTP/2 window starvation bug has been fixed\n * Prometheus counters now wrap properly for values greater than 2^53\n * Add controller client metrics, scoped under `control_`\n * Canonicalize outbound names via DNS for inbound profiles\n * Fix routing issue when a pod makes a request to itself\n * Only include `classification` label on `response_total` metric\n * Remove panic when failing to get remote address\n * Better logging in TCP connect error messages\n* Web UI\n * Top routes page, served at `/routes`\n * Route metrics are now available in the resource detail pages for services\n with configured profiles\n * Service profiles can be created and downloaded from the Web UI\n * Top Routes page, served at `/routes`\n * Fixed a smattering of small UI issues\n * Added a new Grafana dashboard for authorities\n * Revamped look and feel of the Linkerd dashboard by switching component\n libraries from antd to material-ui\n * Added a Help section in the sidebar containing useful links\n * Tap and Top pages\n * Added clear button to query form\n * Resource Detail pages\n * Limit number of resources shown in the graph\n * Resource Detail page\n * Better rendering of the dependency graph at the top of the page\n * Unmeshed sources are now populated in the Inbound traffic table\n * Sources and destinations are aligned in the popover\n * Tap and Top pages\n * Additional validation and polish for the form controls\n * The top table clears older results when a new top call is started\n * The top table now aggregates by HTTP method as well\n\n## edge-18.12.2\n\nUpgrade notes: The control plane components have been renamed as of the\nedge-18.12.1 release to reduce possible naming collisions. To upgrade an older\ninstallation, see the [Upgrade Guide](https://linkerd.io/2/upgrade/).\n\n* Controller\n * Rename snake case fields to camel case in service profile spec\n\n## edge-18.12.1\n\nUpgrade notes: The control plane components have been renamed in this release\nto reduce possible naming collisions. To upgrade an existing installation:\n\n* Install new CLI: `curl https://run.linkerd.io/install-edge | sh`\n* Install new control plane: `linkerd install | kubectl apply -f -`\n* Remove old deploys/cms: `kubectl -n linkerd get deploy,cm -oname | grep -v\n linkerd | xargs kubectl -n linkerd delete`\n* Re-inject your applications: `linkerd inject my-app.yml | kubectl apply -f\n -`\n* Remove old services: `kubectl -n linkerd get svc -oname | grep -v linkerd |\n xargs kubectl -n linkerd delete`\n\nFor more information, see the [Upgrade Guide](https://linkerd.io/2/upgrade/).\n\n* CLI\n * **Improved** `linkerd routes` command displays per-route stats for _any\n resource_!\n * **New** Service profiles are now supported for external authorities!\n * **New** `linkerd routes --open-api` flag generates a service profile based\n on an OpenAPI specification (swagger) file\n* Web UI\n * **New** Top routes page, served at `/routes`\n * **New** Route metrics are now available in the resource detail pages for\n services with configured profiles\n * **New** Service profiles can be created and downloaded from the Web UI\n* Controller\n * **Improved** Controller components are now prefixed with `linkerd-` to\n prevent name collisions with existing resources\n * **New** `linkerd install --disable-h2-upgrade` flag has been added to\n control automatic HTTP/2 upgrading\n* Proxy\n * **Improved** The proxy's `tap` subsystem has been reimplemented to be more\n efficient and and reliable\n * The proxy now supports route metadata in tap queries and events\n * **Fixed** A potential HTTP/2 window starvation bug has been fixed\n * **Fixed** Prometheus counters now wrap properly for values greater than\n 2^53 (thanks, @lucab!)\n\n## edge-18.11.3\n\n* CLI\n * **New** `linkerd routes` command displays per-route stats for services\n with service profiles\n * **Experimental** Add `--ha` flag to `linkerd install` command, for HA\n deployment of the control plane (thanks @benjdlambert!)\n* Web UI\n * **Experimental** Top Routes page, served at `/routes`\n* Controller\n * **Fixed** Fix auto injection issue on Kubernetes `v1.9.11` that would\n merge, rather than append, the proxy container into the application\n* Proxy\n * **Improved** Add controller client metrics, scoped under `control_`\n * **Improved** Canonicalize outbound names via DNS for inbound profiles\n\n## edge-18.11.2\n\n* CLI\n * **Improved** Update stat command to accept multiple stat targets\n * **Fixed** Fix authority stat filtering when the `--from` flag is present\n * Various improvements to check command, including:\n * Emit warnings instead of errors when not running the latest version\n * Add retries if control plane health check fails initially\n * Run all pre-install RBAC checks, instead of stopping at first failure\n* Proxy / Proxy-Init\n * **Fixed** Fix routing issue when a pod makes a request to itself (#1585)\n * Only include `classification` label on `response_total` metric\n\n## edge-18.11.1\n\n* Proxy\n * **Fixed** Remove panic when failing to get remote address\n * **Improved** Better logging in TCP connect error messages\n* Web UI\n * **Improved** Fixed a smattering of small UI issues\n\n## edge-18.10.4\n\nThis release includes a major redesign of the web frontend to make use of the\nMaterial design system. Additional features that leverage the new design are\ncoming soon! This release also includes the following changes:\n\n* CLI\n * **Fixed** Fixed an issue with the `--registry` install flag not accepting\n hosts with ports (thanks, @alenkacz!)\n* Web UI\n * **New** Added a new Grafana dashboard for authorities (thanks, @alpeb!)\n * **New** Revamped look and feel of the Linkerd dashboard by switching\n component libraries from antd to material-ui\n\n## edge-18.10.3\n\n* CLI\n * **New** Added an `--output` stat flag, for printing stats as JSON\n * **Improved** Updated the `top` table to set column widths dynamically\n * **Experimental** Added a `--single-namespace` install flag for installing\n the control plane with Role permissions instead of ClusterRole permissions\n* Controller\n * Fixed a few issues with auto injection via the proxy-injector webhook:\n * Injected pods now execute the linkerd-init container last, to avoid\n rerouting requests during pod init\n * Original pod labels and annotations are preserved when auto-injecting\n* Web UI\n * **New** Added a Help section in the sidebar containing useful links\n\n## edge-18.10.2\n\nThis release brings major improvements to the CLI as described below,\nincluding support for auto-injecting deployments via a Kubernetes Admission\nController. Proxy auto-injection is **experimental**, and the implementation\nmay change going forward.\n\n* CLI\n * **New** Added a `--proxy-auto-inject` flag to the `install` command,\n allowing for auto-injection of sidecar containers (Thanks @ihcsim!)\n * **Improved** Added `--proxy-cpu` and `--proxy-memory` flags to the\n `install` and `inject` commands, giving the ability to configure CPU +\n Memory requests (Thanks @benjdlambert!)\n * **Improved** Added a `--context` flag to specify the context to use to\n talk to the Kubernetes apiserver (Thanks @ffd2subroutine!)\n\n## edge-18.10.1\n\n* Web UI\n * **Improved** Tap and Top pages\n * Added clear button to query form\n * **Improved** Resource Detail pages\n * Limit number of resources shown in the graph\n* Controller\n * CLI health check now uses unified endpoint for data plane checks\n * Include Licence files in all Docker images\n\nSpecial thanks to @alenkacz for contributing to this release!\n\n## edge-18.9.3\n\n* Web UI\n * **Improved** Resource Detail page\n * Better rendering of the dependency graph at the top of the page\n * Unmeshed sources are now populated in the Inbound traffic table\n * Sources and destinations are aligned in the popover\n * **Improved** Tap and Top pages\n * Additional validation and polish for the form controls\n * The top table clears older results when a new top call is started\n * The top table now aggregates by HTTP method as well\n* CLI\n * **New** The namespace in which Linkerd is installed is configurable via\n the `LINKERD_NAMESPACE` env var, in addition to the `--linkerd-namespace`\n flag\n * **New** The wait time for the `check` and `dashboard` commands is\n configurable via the `--wait` flag\n * **Improved** The `top` command now aggregates by HTTP method as well\n\nSpecial thanks to @rochacon, @fahrradflucht and @alenkacz for contributing to\nthis release!\n\n## stable-2.0.0\n\n## edge-18.9.2\n\n* **New** _edge_ and _stable_ release channels\n* Web UI\n * **Improved** Tap & Top UIs with better layout and linking\n* CLI\n * **Improved** `check --pre` command verifies the caller has sufficient\n permissions to install Linkerd\n * **Improved** `check` command verifies that Prometheus has data for proxied\n pods\n* Proxy\n * **Fix** `hyper` crate dependency corrects HTTP/1.0 Keep-Alive behavior\n\n## v18.9.1\n\n* Web UI\n * **New** Default landing page provides namespace overview with expandable\n sections\n * **New** Breadcrumb navigation at the top of the dashboard\n * **Improved** Tap and Top pages\n * Table rendering performance improvements via throttling\n * Tables now link to resource detail pages\n * Tap an entire namespace when no resource is specified\n * Tap websocket errors provide more descriptive text\n * Consolidated source and destination columns\n * Misc ui updates\n * Metrics tables now include a small success rate chart\n * Improved latency formatting for seconds latencies\n * Renamed upstream/downstream to inbound/outbound\n * Sidebar scrolls independently from main panel, scrollbars hidden when\n not needed\n * Removed social links from sidebar\n* CLI\n * **New** `linkerd check` now validates Linkerd proxy versions and readiness\n * **New** `linkerd inject` now provides an injection status report, and\n warns when resources are not injectable\n * **New** `linkerd top` now has a `--hide-sources` flag, to hide the source\n column and collapse top results accordingly\n* Control Plane\n * Updated Prometheus to v2.4.0, Grafana to 5.2.4\n\n## v18.8.4\n\n* Web UI\n * **Improved** Tap and Top now have a better sampling rate\n * **Fixed** Missing sidebar headings now appear\n\n## v18.8.3\n\n* Web UI\n * **Improved** Kubernetes resource navigation in the sidebar\n * **Improved** resource detail pages:\n * **New** live request view\n * **New** success rate graphs\n* CLI\n * `tap` and `top` have been improved to sample up to 100 RPS\n* Control plane\n * Injected proxy containers now have readiness and liveness probes enabled\n\nSpecial thanks to @sourishkrout for contributing a web readability fix!\n\n## v18.8.2\n\n* CLI\n * **New** `linkerd top` command has been added, displays live traffic stats\n * `linkerd check` has been updated with additional checks, now supports a\n `--pre` flag for running pre-install checks\n * `linkerd check` and `linkerd dashboard` now support a `--wait` flag that\n tells the CLI to wait for the control plane to become ready\n * `linkerd tap` now supports a `--output` flag to display output in a wide\n format that includes src and dst resources and namespaces\n * `linkerd stat` includes additional validation for command line inputs\n * All commands that talk to the Linkerd API now show better error messages\n when the control plane is unavailable\n* Web UI\n * **New** individual resources can now be viewed on a resource detail page,\n which includes stats for the resource itself and its nearest neighbors\n * **Experimental** web-based Top interface accessible at `/top`, aggregates\n tap data in real time to display live traffic stats\n * The `/tap` page has multiple improvements, including displaying additional\n src/dst metadata, improved form controls, and better latency formatting\n * All resource tables have been updated to display meshed pod counts, as\n well as an icon linking to the resource's Grafana dashboard if it is\n meshed\n * The UI now shows more useful information when server errors are\n encountered\n* Proxy\n * The `h2` crate fixed a HTTP/2 window management bug\n * The `rustls` crate fixed a bug that could improperly fail TLS streams\n* Control Plane\n * The tap server now hydrates metadata for both sources and destinations\n\n## v18.8.1\n\n* Web UI\n * **New** Tap UI makes it possible to query & inspect requests from the\n browser!\n* Proxy\n * **New** Automatic, transparent HTTP/2 multiplexing of HTTP/1 traffic\n reduces the cost of short-lived HTTP/1 connections\n* Control Plane\n * **Improved** `linkerd inject` now supports injecting all resources in a\n folder\n * **Fixed** `linkerd tap` no longer crashes when there are many pods\n * **New** Prometheus now only scrapes proxies belonging to its own linkerd\n install\n * **Fixed** Prometheus metrics collection for clusters with >100 pods\n\nSpecial thanks to @ihcsim for contributing the `inject` improvement!\n\n## v18.7.3\n\nLinkerd2 v18.7.3 completes the rebranding from Conduit to Linkerd2, and\nimproves overall performance and stability.\n\n* Proxy\n * **Improved** CPU utilization by ~20%\n* Web UI\n * **Experimental** `/tap` page now supports additional filters\n* Control Plane\n * Updated all k8s.io dependencies to 1.11.1\n\n## v18.7.2\n\nLinkerd2 v18.7.2 introduces new stability features as we work toward\nproduction readiness.\n\n* Control Plane\n * **Breaking change** Injected pod labels have been renamed to be more\n consistent with Kubernetes; previously injected pods must be re-injected\n with new version of linkerd CLI in order to work with updated control\n plane\n * The \"ca-bundle-distributor\" deployment has been renamed to \"ca\"\n* Proxy\n * **Fixed** HTTP/1.1 connections were not properly reused, leading to\n elevated latencies and CPU load\n * **Fixed** The `process_cpu_seconds_total` was calculated incorrectly\n* Web UI\n * **New** per-namespace application topology graph\n * **Experimental** web-based Tap interface accessible at `/tap`\n * Updated favicon to the Linkerd logo\n\n## v18.7.1\n\nLinkerd2 v18.7.1 is the first release of the Linkerd2 project, which was\nformerly hosted at github.com/runconduit/conduit.\n\n* Packaging\n * Introduce new date-based versioning scheme, `vYY.M.n`\n * Move all Docker images to `gcr.io/linkerd-io` repo\n* User Interface\n * Update branding to reference Linkerd throughout\n * The CLI is now called `linkerd`\n* Production Readiness\n * Fix issue with destination service sending back incomplete pod metadata\n * Fix high CPU usage during proxy shutdown\n * ClusterRoles are now unique per Linkerd install, allowing multiple\n instances to be installed in the same Kubernetes cluster\n\n## v0.5.0\n\nConduit v0.5.0 introduces a new, experimental feature that automatically\nenables Transport Layer Security between Conduit proxies to secure application\ntraffic. It also adds support for HTTP protocol upgrades, so applications that\nuse WebSockets can now benefit from Conduit.\n\n* Security\n * **New** `conduit install --tls=optional` enables automatic, opportunistic\n TLS. See [the docs][auto-tls] for more info.\n* Production Readiness\n * The proxy now transparently supports HTTP protocol upgrades to support,\n for instance, WebSockets.\n * The proxy now seamlessly forwards HTTP `CONNECT` streams.\n * Controller services are now configured with liveness and readiness probes.\n* User Interface\n * `conduit stat` now supports a virtual `authority` resource that aggregates\n traffic by the `:authority` (or `Host`) header of an HTTP request.\n * `dashboard`, `stat`, and `tap` have been updated to describe TLS state for\n traffic.\n * `conduit tap` now has more detailed information, including the direction\n of each message (outbound or inbound).\n * `conduit stat` now more-accurately records histograms for low-latency\n services.\n * `conduit dashboard` now includes error messages when a Conduit-enabled pod\n fails.\n* Internals\n * Prometheus has been upgraded to v2.3.1.\n * A potential live-lock has been fixed in HTTP/2 servers.\n * `conduit tap` could crash due to a null-pointer access. This has been\n fixed.\n\n[auto-tls]: docs/automatic-tls.md\n\n## v0.4.4\n\nConduit v0.4.4 continues to improve production suitability and sets up\ninternals for the upcoming v0.5.0 release.\n\n* Production Readiness\n * The destination service has been mostly-rewritten to improve safety and\n correctness, especially during controller initialization.\n * Readiness and Liveness checks have been added for some controller\n components.\n * RBAC settings have been expanded so that Prometheus can access node-level\n metrics.\n* User Interface\n * Ad blockers like uBlock prevented the Conduit dashboard from fetching API\n data. This has been fixed.\n * The UI now highlights pods that have failed to start a proxy.\n* Internals\n * Various dependency upgrades, including Rust 1.26.2.\n * TLS testing continues to bear fruit, precipitating stability improvements\n to dependencies like Rustls.\n\nSpecial thanks to @alenkacz for improving docker build times!\n\n## v0.4.3\n\nConduit v0.4.3 continues progress towards production readiness. It features a\nnew latency-aware load balancer.\n\n* Production Readiness\n * The proxy now uses a latency-aware load balancer for outbound requests.\n This implementation is based on Finagle's Peak-EWMA balancer, which has\n been proven to significantly reduce tail latencies. This is the same load\n balancing strategy used by Linkerd.\n* User Interface\n * `conduit stat` is now slightly more predictable in the way it outputs\n things, especially for commands like `watch conduit stat all\n --all-namespaces`.\n * Failed and completed pods are no longer shown in stat summary results.\n* Internals\n * The proxy now supports some TLS configuration, though these features\n remain disabled and undocumented pending further testing and\n instrumentation.\n\nSpecial thanks to @ihcsim for contributing his first PR to the project and to\n@roanta for discussing the Peak-EWMA load balancing algorithm with us.\n\n## v0.4.2\n\nConduit v0.4.2 is a major step towards production readiness. It features a\nwide array of fixes and improvements for long-running proxies, and several new\ntelemetry features. It also lays the groundwork for upcoming releases that\nintroduce mutual TLS everywhere.\n\n* Production Readiness\n * The proxy now drops metrics that do not update for 10 minutes, preventing\n unbounded memory growth for long-running processes.\n * The proxy now constrains the number of services that a node can route to\n simultaneously (default: 100). This protects long-running proxies from\n consuming unbounded resources by tearing down the longest-idle clients\n when the capacity is reached.\n * The proxy now properly honors HTTP/2 request cancellation.\n * The proxy could incorrectly handle requests in the face of some connection\n errors. This has been fixed.\n * The proxy now honors DNS TTLs.\n * `conduit inject` now works with `statefulset` resources.\n* Telemetry\n * **New** `conduit stat` now supports the `all` Kubernetes resource, which\n shows traffic stats for all Kubernetes resources in a namespace.\n * **New** the Conduit web UI has been reorganized to provide namespace\n overviews.\n * **Fix** a bug in Tap that prevented the proxy from simultaneously\n satisfying more than one Tap request.\n * **Fix** a bug that could prevent stats from being reported for some TCP\n streams in failure conditions.\n * The proxy now measures response latency as time-to-first-byte.\n* Internals\n * The proxy now supports user-friendly time values (e.g. `10s`) from\n environment configuration.\n * The control plane now uses client for Kubernetes 1.10.2.\n * Much richer proxy debug logging, including socket and stream metadata.\n * The proxy internals have been changed substantially in preparation for TLS\n support.\n\nSpecial thanks to @carllhw, @kichristensen, & @sfroment for contributing to\nthis release!\n\n### Upgrading from v0.4.1\n\nWhen upgrading from v0.4.1, we suggest that the control plane be upgraded to\nv0.4.2 before injecting application pods to use v0.4.2 proxies.\n\n## v0.4.1\n\nConduit 0.4.1 builds on the telemetry work from 0.4.0, providing rich,\nKubernetes-aware observability and debugging.\n\n* Web UI\n * **New** Automatically-configured Grafana dashboards for Services, Pods,\n ReplicationControllers, and Conduit mesh health.\n * **New** `conduit dashboard` Pod and ReplicationController views.\n* Command-line interface\n * **Breaking change** `conduit tap` now operates on most Kubernetes\n resources.\n * `conduit stat` and `conduit tap` now both support kubectl-style resource\n strings (`deploy`, `deploy/web`, and `deploy web`), specifically:\n * `namespaces`\n * `deployments`\n * `replicationcontrollers`\n * `services`\n * `pods`\n* Telemetry\n * **New** Tap support for filtering by and exporting destination metadata.\n Now you can sample requests from A to B, where A and B are any resource or\n group of resources.\n * **New** TCP-level stats, including connection counts and durations, and\n throughput, wired through to Grafana dashboards.\n* Service Discovery\n * The proxy now uses the [trust-dns] DNS resolver. This fixes a number of\n DNS correctness issues.\n * The destination service could sometimes return incorrect, stale, labels\n for an endpoint. This has been fixed!\n\n[trust-dns]: https://github.com/bluejekyll/trust-dns\n\n## v0.4.0\n\nConduit 0.4.0 overhauls Conduit's telemetry system and improves service\ndiscovery reliability.\n\n* Web UI\n * **New** automatically-configured Grafana dashboards for all Deployments.\n* Command-line interface\n * `conduit stat` has been completely rewritten to accept arguments like\n `kubectl get`. The `--to` and `--from` filters can be used to filter\n traffic by destination and source, respectively. `conduit stat` currently\n can operate on `Namespace` and `Deployment` Kubernetes resources. More\n resource types will be added in the next release!\n* Proxy (data plane)\n * **New** Prometheus-formatted metrics are now exposed on `:4191/metrics`,\n including rich destination labeling for outbound HTTP requests. The proxy\n no longer pushes metrics to the control plane.\n * The proxy now handles `SIGINT` or `SIGTERM`, gracefully draining requests\n until all are complete or `SIGQUIT` is received.\n * SMTP and MySQL (ports 25 and 3306) are now treated as opaque TCP by\n default. You should no longer have to specify `--skip-outbound-ports` to\n communicate with such services.\n * When the proxy reconnected to the controller, it could continue to send\n requests to old endpoints. Now, when the proxy reconnects to the\n controller, it properly removes invalid endpoints.\n * A bug impacting some HTTP/2 reset scenarios has been fixed.\n* Service Discovery\n * Previously, the proxy failed to resolve some domain names that could be\n misinterpreted as a Kubernetes Service name. This has been fixed by\n extending the _Destination_ API with a negative acknowledgement response.\n* Control Plane\n * The _Telemetry_ service and associated APIs have been removed.\n* Documentation\n * Updated [Roadmap](doc/roadmap.md)\n\nSpecial thanks to @ahume, @alenkacz, & @xiaods for contributing to this\nrelease!\n\n### Upgrading from v0.3.1\n\nWhen upgrading from v0.3.1, it's important to upgrade proxies before upgrading\nthe controller. As you upgrade proxies, the controller will lose visibility\ninto some data plane stats. Once all proxies are updated, `conduit install\n|kubectl apply -f -` can be run to upgrade the controller without causing any\ndata plane disruptions. Once the controller has been restarted, traffic stats\nshould become available.\n\n## v0.3.1\n\nConduit 0.3.1 improves Conduit's resilience and transparency.\n\n* Proxy (data plane)\n * The proxy now makes fewer changes to requests and responses being proxied.\n In particular, requests and responses without bodies or with empty bodies\n are better supported.\n * HTTP/1 requests with different `Host` header fields are no longer sent on\n the same HTTP/1 connection even when those hostnames resolve to the same\n IP address.\n * A connection leak during proxying of non-HTTP TCP connections was fixed.\n * The proxy now handles unavailable services more gracefully by timing out\n while waiting for an endpoint to become available for the service.\n* Command-line interface\n * `$KUBECONFIG` with multiple paths is now supported. (PR #482 by\n @hypnoglow).\n * `conduit check` now checks for the availability of a Conduit update. (PR\n #460 by @ahume).\n* Service Discovery\n * Kubernetes services with type `ExternalName` are now supported.\n* Control Plane\n * The proxy is injected into the control plane during installation to\n improve the control plane's resilience and to \"dogfood\" the proxy.\n * The control plane is now more resilient regarding networking failures.\n* Documentation\n * The markdown source for the documentation published at\n is now open source at\n \n\n## v0.3.0\n\nConduit 0.3 focused heavily on production hardening of Conduit's telemetry\nsystem. Conduit 0.3 should \"just work\" for most apps on Kubernetes 1.8 or 1.9\nwithout configuration, and should support Kubernetes clusters with hundreds of\nservices, thousands of instances, and hundreds of RPS per instance.\n\nWith this release, Conduit also moves from _experimental_ to _alpha_---meaning\nthat we're ready for some serious testing and vetting from you. As part of\nthis, we've published the [Conduit roadmap](https://conduit.io/roadmap/), and\nwe've also launched some new mailing lists:\n[conduit-users](https://groups.google.com/forum/#!forum/conduit-users),\n[conduit-dev](https://groups.google.com/forum/#!forum/conduit-dev), and\n[conduit-announce](https://groups.google.com/forum/#!forum/conduit-announce).\n\n* CLI\n * CLI commands no longer depend on `kubectl`\n * `conduit dashboard` now runs on an ephemeral port, removing port 8001\n conflicts\n * `conduit inject` now skips pods with `hostNetwork=true`\n * CLI commands now have friendlier error messages, and support a `--verbose`\n flag for debugging\n* Web UI\n * All displayed metrics are now instantaneous snapshots rather than\n aggregated over 10 minutes\n * The sidebar can now be collapsed\n * UX refinements and bug fixes\n* Conduit proxy (data plane)\n * Proxy does load-aware (P2C + least-loaded) L7 balancing for HTTP\n * Proxy can now route to external DNS names\n * Proxy now properly sheds load in some pathological cases when it cannot\n route\n* Telemetry system\n * Many optimizations and refinements to support scale goals\n * Per-path and per-pod metrics have been removed temporarily to improve\n scalability and stability; they will be reintroduced in Conduit 0.4 (#405)\n* Build improvements\n * The Conduit docker images are now much smaller.\n * Dockerfiles have been changed to leverage caching, improving build times\n substantially\n\nKnown Issues:\n\n* Some DNS lookups to external domains fail (#62, #155, #392)\n* Applications that use WebSockets, HTTP tunneling/proxying, or protocols such\n as MySQL and SMTP, require additional configuration (#339)\n\n## v0.2.0\n\nThis is a big milestone! With this release, Conduit adds support for HTTP/1.x\nand raw TCP traffic, meaning it should \"just work\" for most applications that\nare running on Kubernetes without additional configuration.\n\n* Data plane\n * Conduit now transparently proxies all TCP traffic, including HTTP/1.x and\n HTTP/2. (See caveats below.)\n* Command-line interface\n * Improved error handling for the `tap` command\n * `tap` also now works with HTTP/1.x traffic\n* Dashboard\n * Minor UI appearance tweaks\n * Deployments now searchable from the dashboard sidebar\n\nCaveats:\n\n* Conduit will automatically work for most protocols. However, applications\n that use WebSockets, HTTP tunneling/proxying, or protocols such as MySQL and\n SMTP, will require some additional configuration. See the\n [documentation](https://conduit.io/adding-your-service/#protocol-support)\n for details.\n* Conduit doesn't yet support external DNS lookups. These will be addressed in\n an upcoming release.\n* There are known issues with Conduit's telemetry pipeline that prevent it\n from scaling beyond a few nodes. These will be addressed in an upcoming\n release.\n* Conduit is still in alpha! Please help us by [filing issues and contributing\n pull requests](https://github.com/runconduit/conduit/issues/new).\n\n## v0.1.3\n\n* This is a minor bugfix for some web dashboard UI elements that were not\n rendering correctly.\n\n## v0.1.2\n\nConduit 0.1.2 continues down the path of increasing usability and improving\ndebugging and introspection of the service mesh itself.\n\n* Conduit CLI\n * New `conduit check` command reports on the health of your Conduit\n installation.\n * New `conduit completion` command provides shell completion.\n* Dashboard\n * Added per-path metrics to the deployment detail pages.\n * Added animations to line graphs indicating server activity.\n * More descriptive CSS variable names. (Thanks @natemurthy!)\n * A variety of other minor UI bugfixes and improvements\n* Fixes\n * Fixed Prometheus config when using RBAC. (Thanks @FaKod!)\n * Fixed `tap` failure when pods do not belong to a deployment. (Thanks\n @FaKod!)\n\n## v0.1.1\n\nConduit 0.1.1 is focused on making it easier to get started with Conduit.\n\n* Conduit can now be installed on Kubernetes clusters that use RBAC.\n* The `conduit inject` command now supports a `--skip-outbound-ports` flag\n that directs Conduit to bypass proxying for specific outbound ports, making\n Conduit easier to use with non-gRPC or HTTP/2 protocols.\n* The `conduit tap` command output has been reformatted to be line-oriented,\n making it easier to parse with common UNIX command line utilities.\n* Conduit now supports routing of non-fully qualified domain names.\n* The web UI has improved support for large deployments and deployments that\n don't have any inbound/outbound traffic.\n\n## v0.1.0\n\nConduit 0.1.0 is the first public release of Conduit.\n\n* This release supports services that communicate via gRPC only. non-gRPC\n HTTP/2 services should work. More complete HTTP support, including HTTP/1.0\n and HTTP/1.1 and non-gRPC HTTP/2, will be added in an upcoming release.\n* Kubernetes 1.8.0 or later is required.\n* kubectl 1.8.0 or later is required. `conduit dashboard` will not work with\n earlier versions of kubectl.\n* When deploying to Minikube, Minikube 0.23 or 0.24.1 or later are required.\n Earlier versions will not work.\n* This release has been tested using Google Kubernetes Engine and Minikube.\n Upcoming releases will be tested on additional providers too.\n* Configuration settings and protocols are not stable yet.\n* Services written in Go must use grpc-go 1.3 or later to avoid [grpc-go bug\n #1120](https://github.com/grpc/grpc-go/issues/1120).\n" }, { "path": "CODE_OF_CONDUCT.md", "content": "# Linkerd Community Code of Conduct\n\nAs a CNCF project, we follow the [CNCF Contributor Code of\nConduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).\nAdditionally, we are committed to the following guidelines adapted from the\n[Rust Code of Conduct](https://www.rust-lang.org/en-US/conduct.html):\n\n## Community Guidelines\n\nOur goal is to foster an inclusive and diverse community of technology\nenthusiasts.\n\nTry to be your best self. Treat your fellow community members with kindness and\nempathy. We welcome disagreements when they are conducted respectfully and\nwithout personal attacks.\n\nWe ask that you keep unstructured critique to a minimum. Disparaging remarks\nabout the project are unnecessary and a drain on community morale. Feedback\nshould be constructive and relevant. Having passionately held opinions on what\nshould improve is encouraged! We hope you will use that enthusiasm to roll up\nyour sleeves and get involved by submitting pull requests. We have additional\nguidelines on [how to ask constructive\nquestions](https://github.com/linkerd/linkerd/wiki/How-To-Ask-Questions-in-Slack).\n\nWe don't tolerate insults, spamming, trolling, flaming, baiting, or harassment.\nWe don't tolerate sexual language, imagery, or unwanted advances. Private\nharassment is also unacceptable.\n\nWe do our best to avoid\n[subtle-isms](https://www.recurse.com/manual#sub-sec-social-rules): small\nactions that make others feel uncomfortable. If you witness a subtle-ism, you\nmay respectfully point it out to the person publicly or privately, or you may\nask a moderator to say something. Accidentally saying something biased is\ncommon, expected, and readily forgiven. It is not in and of itself a bannable\noffense.\n\n## Moderation\n\nIf you feel that a channel needs moderation, please message one of the\n[`maintainers`](MAINTAINERS.md) directly.\n\nModerators will issue a warning to users who don't follow the code of conduct. A\nsecond offense results in a temporary ban, a third warrants a permanent ban.\nIt's at the moderator's discretion to un-ban a remorseful user, or immediately\nban a toxic user without warning. Unjustified bans can be appealed by contacting\n.\n" }, { "path": "CONTRIBUTING.md", "content": "# Contributing to Linkerd2 #\n\n:balloon: Thanks for your help improving the project!\n\n## Getting Help ##\n\nIf you have a question about Linkerd2 or have encountered problems using it,\nstart by [asking a question in the forums][discourse] or join us in the\n[#linkerd2 Slack channel][slack].\n\n## Developer Certificate of Origin ##\n\nTo contribute to this project, you must agree to the Developer Certificate of\nOrigin (DCO) for each commit you make. The DCO is a simple statement that you,\nas a contributor, have the legal right to make the contribution.\n\nSee the [DCO](DCO) file for the full text of what you must agree to.\n\n### Option 1: commit message signoffs ###\n\nOne way to signify that you agree to the DCO for a commit is to add a line to\nthe git commit message:\n\n```txt\nSigned-off-by: Jane Smith \n```\n\nIn most cases, you can add this signoff to your commit automatically with the\n`-s` flag to `git commit`. You must use your real name and a reachable email\naddress (sorry, no pseudonyms or anonymous contributions).\n\n### Option 2: public statement ###\n\nIf you've already made the commits and don't want to engage in git shenanigans\nto retroactively apply the signoff as above, there is another option: leave a\ncomment on the PR with the following statement: \"I agree to the DCO for all the\ncommits in this PR.\"\n\nNote that this option also requires that your commits are made under your real\nname and a reachable email address.\n\nIf you use this approach, the DCO bot will still complain, but maintainers will\noverride the DCO bot at merge time.\n\n### Option 3: very simple changes ###\n\nChanges that are trivial (e.g. spelling corrections, adding to ADOPTERS.md,\none-word changes) do not require a DCO signoff. Maintainers should feel free to\noverride the DCO bot for these changes.\n\n## Submitting a Pull Request ##\n\nDo you have an improvement?\n\n1. Submit an [issue][issue] describing your proposed change.\n2. We will try to respond to your issue promptly.\n3. Fork this repo, develop and test your code changes. See the project's\n [README](README.md) for further information about working in this repository.\n4. Submit a pull request against this repo's `main` branch.\n - Include instructions on how to test your changes.\n - If you are making a change to the user interface (UI), include a\n screenshot of the UI before and after your changes.\n5. Your branch may be merged once all configured checks pass, including:\n - The branch has passed tests in CI.\n - A review from appropriate maintainers (see\n [MAINTAINERS.md](MAINTAINERS.md) and [GOVERNANCE.md](GOVERNANCE.md))\n\n## Committing ##\n\nWe prefer squash or rebase commits so that all changes from a branch are\ncommitted to main as a single commit. All pull requests are squashed when\nmerged, but rebasing prior to merge gives you better control over the commit\nmessage.\n\n### Commit messages ###\n\nFinalized commit messages should be in the following format:\n\n```txt\nSubject\n\nProblem\n\nSolution\n\nValidation\n\nFixes #[GitHub issue ID]\n```\n\n#### Subject ####\n\n- one line, <= 50 characters\n- describe what is done; not the result\n- use the active voice\n- capitalize first word and proper nouns\n- do not end in a period — this is a title/subject\n- reference the GitHub issue by number\n\n##### Examples #####\n\n```txt\nbad: server disconnects should cause dst client disconnects.\ngood: Propagate disconnects from source to destination\n```\n\n```txt\nbad: support tls servers\ngood: Introduce support for server-side TLS (#347)\n```\n\n#### Problem ####\n\nExplain the context and why you're making that change. What is the problem\nyou're trying to solve? In some cases there is not a problem and this can be\nthought of as being the motivation for your change.\n\n#### Solution ####\n\nDescribe the modifications you've made.\n\nIf this PR changes a behavior, it is helpful to describe the difference between\nthe old behavior and the new behavior. Provide before and after screenshots,\nexample CLI output, or changed YAML where applicable.\n\nDescribe any implementation changes which are particularly complex or\nunintuitive.\n\nList any follow-up work that will need to be done in a future PR and link to any\nrelevant GitHub issues.\n\n#### Validation ####\n\nDescribe the testing you've done to validate your change. Give instructions for\nreviewers to replicate your tests. Performance-related changes should include\nbefore- and after- benchmark results.\n\n[discourse]: https://discourse.linkerd.io/c/linkerd2\n[issue]: https://github.com/linkerd/linkerd2/issues/new\n[slack]: http://slack.linkerd.io/\n" }, { "path": "Cargo.toml", "content": "[workspace]\nresolver = \"2\"\nmembers = [\n \"policy-controller\",\n \"policy-controller/core\",\n \"policy-controller/grpc\",\n \"policy-controller/k8s/api\",\n \"policy-controller/k8s/index\",\n \"policy-controller/k8s/status\",\n \"policy-controller/runtime\",\n \"policy-test\",\n]\n\n[profile.release]\nlto = \"thin\"\n\n[workspace.dependencies]\ngateway-api = \"0.16\"\nhttp = \"1\"\nhyper = \"1\"\nk8s-openapi = { version = \"0.25\", features = [\"v1_33\"] }\nkube = { version = \"1.1\", default-features = false }\nkubert = { version = \"0.25\", default-features = false }\nprometheus-client = { version = \"0.23\", default-features = false }\ntonic = { version = \"0.14\", default-features = false }\ntower = { version = \"0.5\", default-features = false }\n\nlinkerd-policy-controller = { path = \"./policy-controller\" }\nlinkerd-policy-controller-core = { path = \"./policy-controller/core\" }\nlinkerd-policy-controller-grpc = { path = \"./policy-controller/grpc\" }\nlinkerd-policy-controller-k8s-api = { path = \"./policy-controller/k8s/api\" }\nlinkerd-policy-test = { path = \"./policy-test\" }\n\n[workspace.dependencies.hyper-util]\nversion = \"0.1\"\ndefault-features = false\nfeatures = [\"tracing\"]\n\n[workspace.dependencies.linkerd-policy-controller-k8s-index]\npath = \"./policy-controller/k8s/index\"\n\n[workspace.dependencies.linkerd-policy-controller-k8s-status]\npath = \"./policy-controller/k8s/status\"\n\n[workspace.dependencies.linkerd-policy-controller-runtime]\npath = \"./policy-controller/runtime\"\ndefault-features = false\n\n[workspace.dependencies.linkerd2-proxy-api]\nversion = \"0.18.0\"\nfeatures = [\"inbound\", \"outbound\"]\n" }, { "path": "DCO", "content": "Developer Certificate of Origin\nVersion 1.1\n\nCopyright (C) 2004, 2006 The Linux Foundation and its contributors.\n1 Letterman Drive\nSuite D4700\nSan Francisco, CA, 94129\n\nEveryone is permitted to copy and distribute verbatim copies of this\nlicense document, but changing it is not allowed.\n\n\nDeveloper's Certificate of Origin 1.1\n\nBy making a contribution to this project, I certify that:\n\n(a) The contribution was created in whole or in part by me and I\n have the right to submit it under the open source license\n indicated in the file; or\n\n(b) The contribution is based upon previous work that, to the best\n of my knowledge, is covered under an appropriate open source\n license and I have the right under that license to submit that\n work with modifications, whether created in whole or in part\n by me, under the same open source license (unless I am\n permitted to submit under a different license), as indicated\n in the file; or\n\n(c) The contribution was provided directly to me by some other\n person who certified (a), (b) or (c) and I have not modified\n it.\n\n(d) I understand and agree that this project and the contribution\n are public and that a record of the contribution (including all\n personal information I submit with it, including my sign-off) is\n maintained indefinitely and may be redistributed consistent with\n this project or the open source license(s) involved.\n" }, { "path": "Dockerfile-debug", "content": "FROM debian:bookworm-slim\nRUN apt-get update && apt-get install -y --no-install-recommends \\\n curl \\\n dnsutils \\\n iptables \\\n jq \\\n nghttp2 \\\n tcpdump \\\n iproute2 \\\n lsof \\\n conntrack \\\n tshark && \\\n rm -rf /var/lib/apt/lists/*\n\n# We still rely on old iptables-legacy syntax.\nRUN update-alternatives --set iptables /usr/sbin/iptables-legacy \\\n && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy\n\nENTRYPOINT [ \"tshark\", \"-i\", \"any\" ]\n" }, { "path": "Dockerfile.controller", "content": "# Precompile key slow-to-build dependencies\nFROM --platform=$BUILDPLATFORM golang:1.25-alpine AS go-deps\nWORKDIR /linkerd-build\nCOPY go.mod go.sum ./\nCOPY bin/install-deps bin/\nRUN go mod download\nARG TARGETARCH\nRUN ./bin/install-deps $TARGETARCH\n\n## compile controller service\nFROM go-deps AS golang\nWORKDIR /linkerd-build\nCOPY controller/gen controller/gen\nCOPY pkg pkg\nCOPY charts charts\nCOPY controller controller\nCOPY charts/patch charts/patch\nCOPY charts/partials charts/partials\nCOPY multicluster multicluster\n\nARG TARGETARCH\nRUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /out/controller -tags prod -mod=readonly -ldflags \"-s -w\" ./controller/cmd\n\nFROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v48-rust-musl AS policy\nARG BUILD_TYPE=\"release\"\nWORKDIR /build\nRUN mkdir -p target/bin\nCOPY Cargo.toml Cargo.lock .\nCOPY policy-controller policy-controller\nRUN cargo new policy-test --lib\nENV CARGO=\"cargo auditable\"\nRUN --mount=type=cache,target=/usr/local/cargo/registry \\\n just-cargo fetch\nARG TARGETARCH\n# Install cross compiler toolchains\nRUN case \"$TARGETARCH\" in \\\n amd64) true ;; \\\n arm64) apt-get -y update && apt-get install --no-install-recommends -y binutils-aarch64-linux-gnu ;; \\\n esac && rm -rf /var/lib/apt/lists/*\n# Enable tokio runtime metrics\nENV RUSTFLAGS=\"--cfg tokio_unstable\"\nRUN --mount=type=cache,target=target \\\n --mount=type=cache,target=/usr/local/cargo/registry \\\n target=$(case \"$TARGETARCH\" in \\\n amd64) echo x86_64-unknown-linux-musl ;; \\\n arm64) echo aarch64-unknown-linux-musl ;; \\\n *) echo \"unsupported architecture: $TARGETARCH\" >&2; exit 1 ;; \\\n esac) && \\\n just-cargo profile=$BUILD_TYPE target=$target build --package=linkerd-policy-controller && \\\n mkdir /out && mv \"target/$target/$BUILD_TYPE/linkerd-policy-controller\" /out/\n\n## package runtime\nFROM scratch\nLABEL org.opencontainers.image.source=https://github.com/linkerd/linkerd2\nCOPY LICENSE /linkerd/LICENSE\nCOPY --from=golang /out/controller /controller\nCOPY --from=policy /out/linkerd-policy-controller /\n# for heartbeat (https://versioncheck.linkerd.io/version.json)\nCOPY --from=golang /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/\n\nARG LINKERD_VERSION\nENV LINKERD_CONTAINER_VERSION_OVERRIDE=${LINKERD_VERSION}\nENTRYPOINT [\"/controller\"]\n" }, { "path": "Dockerfile.proxy", "content": "ARG BUILDPLATFORM=linux/amd64\nARG RUNTIME_IMAGE=\"cr.l5d.io/linkerd/proxy-runtime:latest\"\nARG TARGETARCH\n\n# Precompile key slow-to-build dependencies\nFROM --platform=$BUILDPLATFORM golang:1.25-alpine AS go-deps\nWORKDIR /linkerd-build\nCOPY go.mod go.sum ./\nCOPY bin/install-deps bin/\nRUN go mod download\nARG TARGETARCH\nRUN ./bin/install-deps $TARGETARCH\n\nFROM --platform=$BUILDPLATFORM debian:bookworm-slim AS fetch\nRUN DEBIAN_FRONTEND=noninteractive apt-get update && \\\n DEBIAN_FRONTEND=noninteractive apt-get install -y curl jq && \\\n rm -rf /var/lib/apt/lists/*\nWORKDIR /build\nCOPY bin/fetch-proxy bin/fetch-proxy\nCOPY bin/scurl bin/scurl\nARG TARGETARCH\nARG LINKERD2_PROXY_REPO=\"linkerd/linkerd2-proxy\"\nARG LINKERD2_PROXY_VERSION=\"\"\nRUN --mount=type=secret,id=github \\\n export GITHUB_TOKEN_FILE=/run/secrets/github; \\\n proxy=$(bin/fetch-proxy \"$LINKERD2_PROXY_VERSION\" \"$TARGETARCH\"); \\\n mv \"$proxy\" linkerd2-proxy\nRUN echo \"$LINKERD2_PROXY_VERSION\" > proxy-version\nARG LINKERD_AWAIT_VERSION=v0.3.2\nRUN bin/scurl -o linkerd-await https://github.com/linkerd/linkerd-await/releases/download/release%2F${LINKERD_AWAIT_VERSION}/linkerd-await-${LINKERD_AWAIT_VERSION}-${TARGETARCH} && chmod +x linkerd-await\nARG LINKERD_VALIDATOR_VERSION=v0.1.7\nRUN bin/scurl -O https://github.com/linkerd/linkerd2-proxy-init/releases/download/validator%2F${LINKERD_VALIDATOR_VERSION}/linkerd-network-validator-${LINKERD_VALIDATOR_VERSION}-${TARGETARCH}-linux.tgz\nRUN tar -zxvf linkerd-network-validator-${LINKERD_VALIDATOR_VERSION}-${TARGETARCH}-linux.tgz && mv linkerd-network-validator-${LINKERD_VALIDATOR_VERSION}-${TARGETARCH}-linux/linkerd-network-validator .\n\n## compile proxy-identity agent\nFROM go-deps AS golang\nWORKDIR /linkerd-build\nCOPY pkg/util pkg/util\nCOPY pkg/flags pkg/flags\nCOPY pkg/tls pkg/tls\nCOPY pkg/version pkg/version\nARG TARGETARCH\nRUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -mod=readonly ./pkg/...\nCOPY proxy-identity proxy-identity\nRUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /out/proxy-identity -mod=readonly -ldflags \"-s -w\" ./proxy-identity\n\n## build proxy-init\nFROM --platform=$BUILDPLATFORM golang:1.25.8-alpine AS proxy-init\nWORKDIR /build\nARG PROXY_INIT_REPO=\"linkerd/linkerd2-proxy-init\"\nARG PROXY_INIT_REF=\"proxy-init/v2.4.6\"\nRUN apk add --no-cache ca-certificates git\nRUN --mount=type=secret,id=github \\\n export GITHUB_TOKEN_FILE=/run/secrets/github; \\\n git init --initial-branch=main . && \\\n git remote add origin https://github.com/${PROXY_INIT_REPO}.git && \\\n git fetch --depth 1 origin ${PROXY_INIT_REF} && \\\n git checkout --detach FETCH_HEAD\nRUN go mod download\nARG TARGETARCH\nRUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on \\\n go build -o /out/linkerd2-proxy-init -mod=readonly -ldflags \"-s -w\" -v ./proxy-init\n\nFROM $RUNTIME_IMAGE-$TARGETARCH AS runtime\nLABEL org.opencontainers.image.source=https://github.com/linkerd/linkerd2\n\nCOPY --from=proxy-init /out/linkerd2-proxy-init /usr/lib/linkerd/linkerd2-proxy-init\n# Set sys caps for iptables utilities and proxy-init\nUSER root\nRUN [\"/usr/sbin/setcap\", \"cap_net_raw,cap_net_admin+eip\", \"/usr/sbin/xtables-legacy-multi\"]\nRUN [\"/usr/sbin/setcap\", \"cap_net_raw,cap_net_admin+eip\", \"/usr/sbin/xtables-nft-multi\"]\nRUN [\"/usr/sbin/setcap\", \"cap_net_raw,cap_net_admin+eip\", \"/usr/lib/linkerd/linkerd2-proxy-init\"]\nUSER 65534\n\nCOPY --from=fetch /build/target/proxy/LICENSE /usr/lib/linkerd/LICENSE\nCOPY --from=fetch /build/proxy-version /usr/lib/linkerd/linkerd2-proxy-version.txt\nCOPY --from=fetch /build/linkerd2-proxy /usr/lib/linkerd/linkerd2-proxy\nCOPY --from=fetch /build/linkerd-await /usr/lib/linkerd/linkerd-await\nCOPY --from=fetch /build/linkerd-network-validator /usr/lib/linkerd/linkerd2-network-validator\nCOPY --from=golang /out/proxy-identity /usr/lib/linkerd/linkerd2-proxy-identity\nCOPY --from=debian:bookworm-slim /bin/sleep /bin/sleep\nARG LINKERD_VERSION\nENV LINKERD_CONTAINER_VERSION_OVERRIDE=${LINKERD_VERSION}\nENV LINKERD2_PROXY_LOG=warn,linkerd=info\nENV LINKERD2_PROXY_LOG_FORMAT=plain\nENTRYPOINT [\"/usr/lib/linkerd/linkerd2-proxy-identity\"]\n" }, { "path": "EXTENSIONS.md", "content": "# Linkerd Extensions\n\nLinkerd has an extension model which allows 3rd parties to add functionality.\nEach extension consists of a binary CLI named `linkerd-name` (where `name` is\nthe name of the extension) as well as a set of Kubernetes resources. To invoke\nan extension, users can run `linkerd name` which will search the current PATH\nfor an executable named `linkerd-name` and execute it.\n\n## Installing Extensions\n\nTo install an extension, first download the extension executable and put it\nin your PATH. The extension can then be installed into your Kubernetes cluster\nby running `linkerd install | kubectl apply -f -`. Similarly,\nit can be uninstalled by running\n`linkerd uninstall | kubectl delete -f -`.\n\nA full list of installed extensions can be printed by running `linkerd check`.\n\n## Developing Extensions\n\nThe extension must be an executable file named `linkerd-name` where `name` is\nthe name of the extension. The name must not be any of the built-in Linkerd\ncommands (e.g. `check`) or extensions (e.g. `viz`).\n\nThe extension must accept the following flags and respect them any time that\nit communicates with the Kubernetes API. All of these flags must be accepted\nbut may be ignored if they are not applicable.\n\n* `--api-addr`: Override kubeconfig and communicate directly with the control\n plane at host:port (mostly for testing)\n* `--context`: Name of the kubeconfig context to use\n* `--as`: Username to impersonate for Kubernetes operations\n* `--as-group`: Group to impersonate for Kubernetes operations\n* `--help`/`-h`: Print help message\n* `--kubeconfig`: Path to the kubeconfig file to use for CLI requests\n* `--linkerd-namespace`/`-L`: Namespace in which Linkerd is installed\n [$LINKERD_NAMESPACE]\n* `--verbose`: Turn on debug logging\n\nThe extension must implement these commands:\n\n### `linkerd-name install`\n\nThis command must print the Kubernetes manifests for the extension as yaml\nwhich is suitable to be passed to `kubectl apply -f`. These manifests must\ninclude a Namespace resource with the label `linkerd.io/extension=name` where\n`name` is the name of the extension. This allows Linkerd to detect installed\nextensions.\n\n### `linkerd-name uninstall`\n\nThis command must print manifests for all cluster-scoped Kubernetes resources\nbelonging to this extension (including the extension Namespace) as yaml which\nis suitable to be passed to `kubectl delete -f`.\n\n### `linkerd-name check`\n\nThis command must perform any appropriate health checks for the extension\nincluding but not limited to checking that the extension resources exist and\nare in a healthy state. This command must exit with a status code of 0 if the\nchecks pass or with a nonzero status code if they do not pass. For consistency,\nit is recommended that this command follows the same output formatting as\n`linkerd check`, e.g.\n\n```console\nlinkerd-version\n---------------\n√ can determine the latest version\n√ cli is up-to-date\n\nStatus check results are √\n```\n\nThe final line of output should be either `Status check results are √` or\n`Status check results are ×`.\n\nIn addition to the flags described above, `linkerd-name check` must accept the\nfollowing flags:\n\n* `--namespace`/`-n`: Namespace to use for –proxy checks (default: all\n namespaces)\n* `--output`/`-o`: Output format. One of: table, json, short\n* `--pre`: Only run pre-installation checks, to determine if the extension can\n be installed\n* `--proxy`: Only run data-plane checks, to determine if the data plane is\n healthy\n* `--wait`: Maximum allowed time for all tests to pass\n\nIf the output format is set to json then output must be in json format\ninstead of the output format described above. E.g.\n\n```json\n{\n \"success\": false,\n \"categories\": [\n {\n \"categoryName\": \"kubernetes-api\",\n \"checks\": [\n {\n \"description\": \"can initialize the client\",\n \"result\": \"success\"\n },\n {\n \"description\": \"can query the Kubernetes API\",\n \"result\": \"success\"\n },\n {\n \"description\": \"linkerd-viz Namespace exists\",\n \"hint\": \"https://linkerd.io/2/checks/#l5d-viz-ns-exists\",\n \"error\": \"could not find the linkerd-viz extension\",\n \"result\": \"error\"\n }\n ]\n }\n ]\n}\n```\n\nIn particular, the `linkerd check` command will invoke the check command for\neach extension installed in the cluster and will request json output.\n`linkerd check` may optinally invoke your extension if not installed in the\ncluster (see `linkerd-name _extension-metadata` below to opt-in). To preserve\nforwards compatibility, it is recommended that the check command should ignore\nany unknown flags.\n\n### `linkerd-name _extension-metadata`\n\nThis subcommand is optional, and enables an extension to opt-in to being\nexecuted as part of `linkerd check`, even when there is no corresponding\nextension on the cluster. To opt-in, the output of\n`linkerd-name _extension-metadata` should be json of the form:\n\n```json\n{\n \"name\": \"linkerd-name\",\n \"checks\": \"always\",\n}\n```\n\nNote that for `linkerd check` to validate which extensions are opting-in, it\nruns `linkerd-* _extension-metadata` against every executable in the PATH.\n\nThe extension may also implement further commands in addition to the ones\ndefined here.\n" }, { "path": "GOVERNANCE.md", "content": "# Linkerd Governance\n\nThis document defines project governance for Linkerd.\n\n> The Linkerd maintainers are 100% committed to open governance and to being\n> hosted by a neutral foundation. We believe that a diverse and active set of\n> maintainers is fundamental to the long-term health of an open source project.\n> And we want YOU to join us.\n\n— [Linkerd's Commitment to Open\nGovernance](https://linkerd.io/2019/10/03/linkerds-commitment-to-open-governance/)\n\n## Contributors\n\nLinkerd is for everyone. Anyone can become a Linkerd contributor simply by\ncontributing to the project, whether through code, documentation, blog posts,\ncommunity management, or other means. As with all Linkerd community members,\ncontributors are expected to follow the [Linkerd Code of\nConduct][coc].\n\nAll contributions to Linkerd code, documentation, or other components in the\nLinkerd GitHub org must follow the guidelines in [CONTRIBUTING.md][contrib].\nWhether these contributions are merged into the project is the prerogative of\nthe maintainers.\n\n## Directors\n\nDirectors are responsible for non-technical leadership functions within the\nproject. This includes representing Linkerd and its maintainers to the\ncommunity, to press, and to the outside world; interfacing with CNCF and other\ngovernance entities; and participating in project decision-making processes when\nappropriate.\n\nDirectors may be elected by a majority vote of the maintainers.\n\n## Maintainers\n\nMaintainers have the ability to merge code into the project. Anyone can\nbecome a Linkerd maintainer (see \"Becoming a maintainer\" below.)\n\n### Expectations\n\nLinkerd maintainers are expected to:\n\n* Review pull requests, triage issues, and fix bugs in their areas of\n expertise, ensuring that all changes go through the project's code review\n and integration processes.\n* Monitor cncf-linkerd-* emails and the Linkerd Slack, and help out when\n possible.\n* Rapidly respond to any time-sensitive security release processes.\n* Attend meetings with the Linkerd Steering Committee.\n\nIf a maintainer is no longer interested in or cannot perform the duties\nlisted above, they should move themselves to emeritus status. If necessary,\nthis can also occur through the decision-making process outlined below.\n\n### Becoming a maintainer\n\nAnyone can become a Linkerd maintainer. Maintainers should be extremely\nproficient in Go and/or Rust; have relevant domain expertise; have the time\nand ability to meet the maintainer expectations above; and demonstrate the\nability to work with the existing maintainers and project processes.\n\nTo become a maintainer, start by expressing interest to existing maintainers.\nExisting maintainers will then ask you to demonstrate the qualifications\nabove by contributing PRs, doing code reviews, and other such tasks under\ntheir guidance. After several months of working together, maintainers will\ndecide whether to grant maintainer status.\n\n## Project decision-making process\n\nIdeally, all project decisions are resolved by consensus of maintainers and\ndirectors. If this is not possible, a vote will be called. The voting process is\na simple majority in which each maintainer and director receives one vote.\n\n[coc]: https://github.com/linkerd/linkerd/wiki/Linkerd-code-of-conduct\n[contrib]: https://github.com/linkerd/linkerd2/blob/main/CONTRIBUTING.md\n" }, { "path": "LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "MAINTAINERS.md", "content": "# Maintainers\n\nThe Linkerd maintainers are:\n\n* Alex Leong @adleong\n* Alejandro Pedraza @alpeb\n* katelyn martin @cratelyn\n* Oliver Gould @olix0r\n* Scott Fleener @sfleen\n* Zahari Dichev @zaharidichev\n\n## Directors\n\nThe Linkerd directors are:\n\n* William Morgan @wmorgan\n\n## Steering Committee\n\nThe Linkerd Steering Committee members are:\n\n* Steve Gray (ZeroFlucs) @steve-gray\n* Priya Namasivayam (Earnin) @priyanamasivayam\n* Christian Hüning (BWI) @christianhuening\n* Dimple Thoomkuzhy (CompareTheMarket) @dimpledalby07\n\n## Emeriti\n\nFormer maintainers include:\n\n* Eliza Weisman @hawkw\n* Hema Lee @hemakl\n* Kevin Leimkuhler @kleimkuhler\n* Kevin Ingleman @klingerf\n* Matei David @mateiidavid\n* Tarun Pothulapati @pothulapati\n* Risha Mars @rmars\n* Andrew Seigner @siggy\n* Steve Jenson @stevej\n\n\n" }, { "path": "README.md", "content": "# Linkerd\n\n![Linkerd][logo]\n\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4629/badge)](https://bestpractices.coreinfrastructure.org/projects/4629)\n[![GitHub Actions Status][github-actions-badge]][github-actions]\n[![GitHub license](https://img.shields.io/github/license/linkerd/linkerd2.svg)](LICENSE)\n[![Go Report Card][go-report-card-badge]][go-report-card]\n[![Go Reference][go-doc-badge]][go-doc]\n[![Slack Status][slack-badge]][slack]\n\n:balloon: Welcome to Linkerd! :wave:\n\nLinkerd is an ultralight, security-first service mesh for Kubernetes. Linkerd\nadds critical security, observability, and reliability features to your\nKubernetes stack with no code change required.\n\nLinkerd is a Cloud Native Computing Foundation ([CNCF][cncf]) project.\n\n## Repo layout\n\nThis is the primary repo for the Linkerd 2.x line of development.\n\nThe complete list of Linkerd repos is:\n\n* [linkerd2][linkerd2]: Main Linkerd 2.x repo, including control plane and CLI\n* [linkerd2-proxy][proxy]: Linkerd 2.x data plane proxy\n* [linkerd2-proxy-api][proxy-api]: Linkerd 2.x gRPC API bindings\n* [linkerd][linkerd1]: Linkerd 1.x\n* [website][linkerd-website]: linkerd.io website (including docs for 1.x and\n 2.x)\n\n## Quickstart and documentation\n\nYou can run Linkerd on any modern Kubernetes cluster in a matter of seconds.\nSee the [Linkerd Getting Started Guide][getting-started] for how.\n\nFor more comprehensive documentation, start with the [Linkerd\ndocs][linkerd-docs]. (The doc source code is available in the\n[website][linkerd-website] repo.)\n\n## Working in this repo\n\n[`BUILD.md`](BUILD.md) includes general information on how to work in this repo.\n\nWe :heart: pull requests! See [`CONTRIBUTING.md`](CONTRIBUTING.md) for info on\ncontributing changes.\n\n## Get involved\n\n* Join Linkerd's [user mailing list][linkerd-users], [developer mailing\n list][linkerd-dev], and [announcements mailing list][linkerd-announce].\n* Follow [@Linkerd][twitter] on Twitter.\n* Join the [Linkerd Slack][slack].\n\n## Steering Committee meetings\n\nWe host regular online meetings for the Linkerd Steering Committee. All are\nwelcome to attend, but audio and video participation is limited to Steering\nCommittee members and maintainers. These meetings are currently scheduled on an\nad-hoc basis and announced on the [linkerd-users][linkerd-users] mailing list.\n\n* [Zoom link](https://zoom.us/my/cncflinkerd)\n* [Minutes from previous meetings](https://docs.google.com/document/d/1GDNM5eosiyjVDo6YHXBMsvlpyzUldgg-XLMNzf7I404/edit)\n* [Recordings from previous meetings](https://www.youtube.com/playlist?list=PLI9FkLPXDscBHP91Ud3lyJScI4ZCjRG6F)\n\n## Code of Conduct\n\nThis project is for everyone. We ask that our users and contributors take a few\nminutes to review our [Code of Conduct][CoC].\n\n## Security\n\nSee [SECURITY.md](SECURITY.md) for our security policy, including how to report\nvulnerabilities.\n\nLinkerd undergoes periodic third-party security audits and we\n[publish the results here](https://github.com/linkerd/linkerd2/tree/main/audits).\n\n## License\n\nCopyright 2025 the Linkerd Authors. All rights reserved.\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use\nthese files except in compliance with the License. You may obtain a copy of the\nLicense at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software distributed\nunder the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR\nCONDITIONS OF ANY KIND, either express or implied. See the License for the\nspecific language governing permissions and limitations under the License.\n\n\n[github-actions]: https://github.com/linkerd/linkerd2/actions\n[github-actions-badge]: https://github.com/linkerd/linkerd2/actions/workflows/actions.yml/badge.svg\n[cncf]: https://www.cncf.io/\n[CoC]: https://github.com/linkerd/linkerd/wiki/Linkerd-code-of-conduct\n[getting-started]: https://linkerd.io/2/getting-started/\n[go-report-card]: https://goreportcard.com/report/github.com/linkerd/linkerd2\n[go-report-card-badge]: https://goreportcard.com/badge/github.com/linkerd/linkerd2\n[go-doc-badge]: https://pkg.go.dev/badge/github.com/linkerd/linkerd2.svg\n[go-doc]: https://pkg.go.dev/github.com/linkerd/linkerd2\n[linkerd1]: https://github.com/linkerd/linkerd\n[linkerd2]: https://github.com/linkerd/linkerd2\n[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce\n[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev\n[linkerd-docs]: https://linkerd.io/2/overview/\n[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users\n[linkerd-website]: https://github.com/linkerd/website\n[logo]: https://user-images.githubusercontent.com/9226/33582867-3e646e02-d90c-11e7-85a2-2e238737e859.png\n[proxy]: https://github.com/linkerd/linkerd2-proxy\n[proxy-api]: https://github.com/linkerd/linkerd2-proxy-api\n[slack-badge]: http://slack.linkerd.io/badge.svg\n[slack]: http://slack.linkerd.io\n[twitter]: https://twitter.com/linkerd\n" }, { "path": "RELEASE.md", "content": "# Linkerd2 Release\n\nThis document contains instructions for releasing Linkerd2.\n\n## 1. Bump the proxy version\n\nDetermine the commit SHA or tag of the `linkerd2-proxy` repo to be included in\nthe release.\n\nThe [proxy-version](https://github.com/linkerd/linkerd2/blob/main/.proxy-version)\nfile is kept in sync automatically by the\n[`sync-proxy`](https://github.com/linkerd/linkerd2/actions/workflows/sync-proxy.yml)\nworkflow. If the file is already at the desired SHA or tag, skip to step 2.\n\nIf updating to `linkerd-proxy` HEAD, note the commit SHA at\n[latest.txt](https://build.l5d.io/linkerd2-proxy/latest.txt) (Look for\n`linkerd2-proxy-.tar.gz`).\n\n## 2. Bump the proxy-init or CNI plugin version\n\nIf the `linkerd2/proxy-init` or `linkerd2/cni-plugin` projects have a new\nrelease (which is rare), the following updates are needed:\n\n- `pkg/version/version.go` (this also implies changes in unit test fixtures)\n\n ```go\n var ProxyInitVersion = \"v2.3.0\"\n var LinkerdCNIVersion = \"v1.4.0\"\n ```\n\n- `charts/linkerd-control-plane/values.yaml`\n\n Upgrade the version in `global.proxyInit.image.version`\n\n- `charts/linkerd2-cni/values.yaml`\n\n Upgrade the version in `image.version`\n\nCreate a new branch in the `linkerd2` repo,\n`username/proxy-init-version-bump`.\n\nOpen a pull request that includes the changes.\n\n## 3. Tag the release\n\n- Checkout the `main` branch, and be sure to pull the latest changes.\n- Tag the current state of `main`, with a tag of the form `edge-YY.M.N`, where\n `YY` is the year, `M` is the month, and `N` is the nth release of the month.\n- Push the tag to the repository.\n\n```sh\nTAG=\"edge-YY.M.N\"\ngit switch main\ngit pull --tags --prune\ngit tag $TAG HEAD\ngit push --tags\n```\n\nThat will kick off a CI Release workflow run that will:\n\n- Build and push the docker images for the tag that was created\n- Run the k3d integration tests in the Github actions VMs themselves\n- Run a k3d integration test on a separate ARM64 host\n- Create a release in Github, and upload the CLI binaries with their checksums\n- Dispatch an event caught by the website repo that triggers a website rebuild\n which will update the edge version in the website\n- Retrieve the installation script from [run.linkerd.io](https://run.linkerd.io)\n and verify it installs the current version being released\n- Deploy the updated helm charts\n\nYou can locate the CI run on the [actions page](https://github.com/linkerd/linkerd2/actions).\n" }, { "path": "SECURITY.md", "content": "# Linkerd Security Policy\n\nSecurity is critical to Linkerd and we take it very seriously. Not only must\nLinkerd be secure, it must improve the security of the system around it. To this\nend, every aspect of Linkerd's development is done with security in mind.\n\nLinkerd makes use of a variety of tools to ensure software security, including:\n\n* Code review\n* Dependency hygiene and supply chain security via\n [dependabot](https://docs.github.com/en/code-security/dependabot)\n* [Fuzz testing](https://linkerd.io/2021/05/07/fuzz-testing-for-linkerd/)\n* [Third-party security audits](#security-audits)\n* And other forms of manual, static, and dynamic checking.\n\n## Reporting a Vulnerability\n\nIf you believe you've found a security problem in Linkerd, whether in the\ncontrol plane, proxy, or any other component, please file a [GitHub security\nadvisory on the linkerd2\nrepo](https://github.com/linkerd/linkerd2/security/advisories). The maintainers\nwill diagnose the severity of the issue and determine how to address the issue.\n\n## Criticality Policy\n\nIn general, critical issues that affect Linkerd's security posture or that\nreduce its ability to provide security for users will receive immediate\nattention and be fixed as quickly as possible.\n\nIssues that do not affect Linkerd's security posture and that don't reduce its\nability to provide security for users may not be immediately addressed. For\nexample, CVEs in underlying dependencies that don't actually affect Linkerd may\nnot be immediately addressed.\n\nOnce merged into main, security updates will be available in the next edge\nrelease produced.\n\n## Security Audits\n\nThe CNCF provides periodic third-party security audits. We publish unredacted\nreports in the [audits/](audits/) subdirectory.\n\n## Security Advisories\n\nWhen vulnerabilities in Linkerd itself are discovered and corrected, we will\nissue a security advisory, describing the problem and providing a pointer to the\nfix. These will be announced to our\n[cncf-linkerd-announce](https://lists.cncf.io/g/cncf-linkerd-announce) mailing\nlist.\n\nThere are some situations where we may delay issuing a security advisory. For\nexample, when a vulnerability is found during a code audit or when several\nissues are likely to be spotted and fixed in the near future, the maintainers\nmay delay the release of a Security Advisory so that we can issue a single\ncomprehensive Security Advisory covering multiple vulnerabilities. Communication\nwith vendors and other distributions shipping the same code may also cause these\ndelays.\n" }, { "path": "STEERING.md", "content": "# Linkerd Steering Committee Charter\n\nThe goal of the Linkerd Steering Committee is to ensure that Linkerd meets the\nneeds of its current and future users. The Steering Committee represents the\nvoice of the user, and works with the Linkerd maintainers and directors to help\nguide development efforts towards solving concrete and immediate problems for\nLinkerd adopters.\n\n## Responsibilities\n\nThe Steering Committee’s responsibilities are to:\n\n1. Provide feedback to project maintainers about Linkerd's featureset, UX, and\n operational model.\n2. Assist Linkerd maintainers in prioritizing upcoming roadmap items and\n planned work.\n3. Represent the \"voice of the Linkerd user\" both internally and to the broader\n community.\n4. Provide neutral mediation for non-technical disputes.\n5. Develop and maintain a project continuity plan.\n\n## Membership\n\nThe Steering Committee comprises at most 7 people. To be eligible for\nmembership in the Steering Committee, you must:\n\n1. Be currently responsible for a production Linkerd deployment of non-trivial\n size, or have been responsible for such a deployment within the past two\n years.\n2. Be willing and able to attend regularly-scheduled Steering Committee\n meetings.\n3. Abide by Linkerd's Code of Conduct.\n\nCandidates for membership will be nominated by current Steering Committee\nmembers or by Linkerd maintainers and directors. Once nominated, inclusion in\nthe Steering Committee will be determined by the normal project decision-making\nprocess.\n\nMembership expires if any of the eligibility conditions is unmet, or after one\nyear. Members may seek reinstatement immediately in accordance with the rules\nabove.\n\n## Meetings\n\nMeetings will happen periodically not less than once a quarter. Recordings and\nminutes will be posted publicly.\n\n## Changes to this charter\n\nChanges to this charter must be approved by a majority of Steering Committee\nmembers and a majority of Linkerd maintainers and directors.\n" }, { "path": "TEST.md", "content": "# Linkerd2 Test Guide\n\nThis document covers how to run all of the tests that are present in the\nLinkerd2 repo. Most of these tests are run in CI, but you can use the\ninstructions here to run the tests from source. For more information about\nworking in this repo, see the [BUILD.md](BUILD.md) guide.\n\nNote that all shell commands in this guide are expected to be run from the root\nof this repo, unless otherwise indicated by a `cd` command.\n\n## Table of contents\n\n- [Unit tests](#unit-tests)\n - [Go](#go)\n - [JavaScript](#javascript)\n - [Shell](#shell)\n- [Integration tests](#integration-tests)\n - [Prerequisites](#prerequisites)\n - [Running tests](#running-tests)\n - [Writing tests](#writing-tests)\n\n## Unit tests\n\n### Go\n\nTo run tests:\n\n```bash\ngo test -cover -race ./...\n```\n\nTo investigate code coverage:\n\n```bash\ncov=`mktemp`\ngo test -coverprofile=$cov ./...\ngo tool cover -html=$cov\n```\n\n#### Pretty-printed diffs for templated text\n\nWhen running `go test`, mismatched text is usually displayed as a compact diff.\nIf you prefer to see the full text of the mismatch with colorized output, you\ncan set the `LINKERD_TEST_PRETTY_DIFF` environment variable or run `go test\n./cli/cmd/... --pretty-diff`.\n\n#### Updating templates\n\nWhen kubernetes templates change, several test fixtures usually need to be\nupdated (in `cli/cmd/testdata/*.golden`). These golden files can be\nautomatically regenerated with the command:\n\n```sh\ngo test ./cli/cmd/... --update\n```\n\n### JavaScript\n\nJavaScript dependencies are managed via [yarn](https://yarnpkg.com/) and\n[webpack](https://webpack.js.org/). We use\n[jest](https://facebook.github.io/jest) as our test runner.\n\nTo fetch dependencies and run tests, run:\n\n```bash\nbin/web setup\nbin/web test\n\n# or alternatively:\n\ncd web/app\nyarn && NODE_ENV=test yarn webpack\nyarn jest \"$*\"\n```\n\nFor faster testing, run a subset of the tests by passing flags to jest.\n\nRun tests on files that have changed since the last commit:\n\n```bash\nbin/web test -o\n```\n\nRun tests that match a spec name (regex):\n\n```bash\nbin/web test -t name-of-spec\n```\n\nRun watch mode:\n\n```bash\nbin/web test --watch # runs -o by default (tests only files changed since last commit)\nbin/web test --watchAll # runs all tests after a change to a file\n```\n\n### Shell\n\n```bash\nbin/shellcheck -x bin/*\n```\n\n## Integration tests\n\nThe `test/integration` directory contains a test suite that can be run to\nvalidate Linkerd functionality via a series of end-to-end tests.\n\n### Prerequisites\n\n#### Prerequisites for default behavior\n\nThe integration tests will configure their own k3s clusters by default (using\nthe k3d helper). There are no prerequisites for this test path.\n\n#### Prerequisites for existing cluster\n\nIf integration tests should run on an existing Kubernetes cluster, then the\n`--skip-cluster-create` flag should be passed. This will disable the tests from\ncreating their own clusters and instead use the current Kubernetes context.\n\nIn this case, ensure the following:\n\n- The Linkerd docker images you're trying to test have been built and are\n accessible to the Kubernetes cluster to which you are deploying.\n If you're testing locally through a KinD or k3d cluster and don't want to push\n the images to a public registry, you can call `bin/image-load --kind|k3d` to\n load all the Linkerd images into those clusters.\n- The `kubectl` CLI has been configured to talk to that Kubernetes cluster\n\n### Running tests\n\nYou can use the `bin/tests` script to run one or all of the tests in the test\nsuite.\n\nThe `bin/tests` script requires an absolute path to a `linkerd` binary to test.\n\nOptional flags can be passed that change the testing behavior:\n\n- `--name`: Pass an argument with this flag to specify a specific test that\n should be run; all tests (except some special ones, see below) are run in the\n absence of this flag. Valid test names are included in the `bin/tests --help`\n output\n- `--skip-cluster-create`: Skip KinD cluster creation for each test and use an\n existing Kubernetes cluster\n- `--images`: (Primarily for CI) Loads images from the `image-archive/`\n directory into the KinD clusters created for each test\n\nView full help text:\n\n```bash\nbin/tests --help\n```\n\nRun individual test:\n\n```bash\nbin/tests --name upgrade /path/to/linkerd\n```\n\n#### Testing against the installed version of the CLI\n\nYou can run tests using your installed version of the `linkerd` CLI. For\nexample, to run the full suite of tests using your installed CLI, run:\n\n```bash\nbin/tests `which linkerd`\n```\n\nIf using an existing cluster to run tests, the resources can be cleaned up\nmanually with:\n\n```bash\nbin/test-cleanup /path/to/linkerd\n```\n\n#### Testing against a locally-built version of the CLI\n\nYou can also test a locally-built version of the `linkerd` CLI.\n\nFirst build all of the Linkerd images by running:\n\n```bash\nbin/docker-build\n```\n\nThat command also copies the corresponding `linkerd` binaries into the\n`target/cli` directory, and you can use the `bin/linkerd` script to load those\nbinaries when running tests. To run tests using your local binary, run:\n\n```bash\nbin/tests $PWD/bin/linkerd\n```\n\n**Note**: As stated above, if running tests in an existing KinD cluster by\npassing `--skip-cluster-create`, `bin/kind-load` must be run so that the images\nare available to the cluster\n\n#### Special tests: cluster-domain, cni-calico-deep and multicluster\n\nWhen running `bin/tests` without specifying `--name` all tests except for\n`cluster-domain`, `cni-calico-deep` and `multicluster` are run, because these require\ncreating the clusters with special configurations. To run any of these tests,\ninvoke them explicitly with `--name` for the script to create the cluster (using\nk3d) and trigger the test:\n\n- `bin/tests --name cluster-domain`: This simply creates the cluster with a\n cluster domain setting different than the default `cluster.local`, then\n installs Linkerd and triggers some smoke tests.\n- `bin/tests --name cni-calico-deep`: This installs a cluster replacing the\n default CNI plugin (which for k3s is Flannel) with the Calico CNI plugin, then\n installs the Linkerd CNI plugin and the Linkerd control plane, and finally\n triggers the full suite of deep tests.\n- `bin/tests --name multicluster`: Two k3d clusters are installed each one with\n separate instances of Linkerd sharing the same trust root. Then the\n multicluster component is installed, both clusters are linked together and a\n test ensures exported services can be reached between the two clusters.\n\n#### Testing the dashboard\n\nIf you're new to the repo, make sure you've installed web dependencies via\n[Yarn](https://yarnpkg.com):\n\n```bash\nbrew install yarn # if you don't already have yarn\nbin/web setup\n```\n\nThen start up the dashboard at `localhost:7777`. You can do that in one of two\nways:\n\n```bash\n# standalone\nbin/web run\n```\n\nOR\n\n```bash\n# with webpack-dev-server\nbin/web dev\n```\n\n## Writing tests\n\nTo add a new test, create a new subdirectory inside the `test/` directory.\nConfiguration files, such as Kubernetes configs, should be placed inside a\n`testdata/` directory inside the test subdirectory that you created. Then create\na test file in the subdirectory that's suffixed with `_test.go`. This test file\nwill be run automatically by the test runner script.\n\nThe tests rely heavily on the test helpers that are defined in the `testutil/`\ndirectory. For a complete description of how to use the test helpers to write\nyour own tests, view the `testutil` package's godoc, with:\n\n```bash\ngodoc github.com/linkerd/linkerd2/testutil | less\n```\n\n## Scale tests\n\nThe scale tests deploy a single Linkerd control-plane, and then scale up\nmultiple sample apps across multiple replicas across multiple namespaces.\n\nPrerequisites:\n\n- a `linkerd` CLI binary\n- Linkerd Docker images associated with the `linkerd` CLI binary\n- a Kubernetes cluster with sufficient resources to run 100s of pods\n\n## Run tests\n\n```bash\nbin/test-scale\nusage: test-scale /path/to/linkerd [namespace]\n```\n\nFor example, to test a newly built Linkerd CLI:\n\n```bash\nbin/test-scale `pwd`/bin/linkerd\n```\n\n## Cleanup\n\n```bash\nbin/test-cleanup /path/to/linkerd\n```\n\n## Test against multiple cloud providers\n\nThe [`bin/test-clouds`](bin/test-clouds) script runs the integration tests\nagainst 4 cloud providers:\n\n- Amazon (EKS)\n- DigitalOcean (DO)\n- Google (GKE)\n- Microsoft (AKS)\n\nThis script assumes you have a working Kubernetes cluster set up on each Cloud\nprovider, and that Kubernetes contexts are configured via environment variables.\n\nFor example:\n\n```bash\nexport AKS=my-aks-cluster\nexport DO=do-nyc1-my-cluster\nexport EKS=arn:aws:eks:us-east-1:123456789012:cluster/my-cluster\nexport GKE=gke_my-project_us-east1-b_my-cluster\n```\n\nFor more information on configuring access to multiple clusters, see:\n\n\n```bash\nbin/test-clouds `pwd`/bin/linkerd\n```\n\nTo cleanup all integration tests:\n\n```bash\nbin/test-clouds-cleanup\n```\n" }, { "path": "bin/_docker.sh", "content": "#!/usr/bin/env bash\n\nset -eu\n\ndocker buildx &> /dev/null || { echo 'Please install docker buildx before proceeding'; exit 1; }\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\n\n# shellcheck source=_log.sh\n. \"$bindir\"/_log.sh\n# shellcheck source=_os.sh\n. \"$bindir\"/_os.sh\n\n# TODO this should be set to the canonical public docker registry; we can override this\n# docker registry in, for instance, CI.\nexport DOCKER_REGISTRY=${DOCKER_REGISTRY:-cr.l5d.io/linkerd}\n\n# populated in GitHub Actions\nexport ACTIONS_CACHE_URL=${ACTIONS_CACHE_URL:-}\n\nexport DOCKER_TARGET=${DOCKER_TARGET:-$(os)}\n\n# When set together with DOCKER_TARGET=multi-arch, it will push the multi-arch images to the registry\nexport DOCKER_PUSH=${DOCKER_PUSH:-}\n\nexport DOCKER_BUILDER=${DOCKER_BUILDER:-}\n\n# Default supported docker image architectures\nexport SUPPORTED_ARCHS=${SUPPORTED_ARCHS:-linux/amd64,linux/arm64}\n\n# Splitting of DOCKER_IMAGES variable is desired.\n# shellcheck disable=SC2206\nexport DOCKER_IMAGES=(${DOCKER_IMAGES:-\n controller\n metrics-api\n debug\n proxy\n web\n tap\n})\n\ndocker_repo() {\n repo=$1\n\n name=$repo\n if [ \"${DOCKER_REGISTRY:-}\" ]; then\n name=\"$DOCKER_REGISTRY/$name\"\n fi\n\n echo \"$name\"\n}\n\ndocker_build() {\n name=$1\n repo=$(docker_repo \"$name\")\n shift\n\n tag=$1\n shift\n\n file=$1\n shift\n\n rootdir=${ROOTDIR:-$( cd \"$bindir\"/.. && pwd )}\n cache_params=''\n\n if [ \"$ACTIONS_CACHE_URL\" ]; then\n cache_params=\"--cache-from type=gha,scope=$name-$DOCKER_TARGET --cache-to type=gha,scope=$name-$DOCKER_TARGET,mode=max\"\n fi\n\n output_params='--load'\n if [ \"$DOCKER_TARGET\" = 'multi-arch' ]; then\n output_params=\"--platform $SUPPORTED_ARCHS\"\n if [ \"$DOCKER_PUSH\" ]; then\n output_params+=' --push'\n else\n echo 'Error: env DOCKER_PUSH=1 is missing\nWhen building the multi-arch images it is required to push the images to the registry\nSee https://github.com/docker/buildx/issues/59 for more details'\n exit 1\n fi\n fi\n\n # Allow for specifying docker builder engine\n # This is a great way to use k8s to build docker images on native hardware instead of emulated\n # See https://docs.docker.com/build/drivers/kubernetes/ for an example\n if [ \"$DOCKER_BUILDER\" ]; then\n output_params+=\" --builder=$DOCKER_BUILDER\"\n fi\n\n log_debug \" :; docker buildx $rootdir $cache_params $output_params -t $repo:$tag -f $file $*\"\n mkdir -p target\n # shellcheck disable=SC2086\n docker buildx build \"$rootdir\" $cache_params \\\n $output_params \\\n -t \"$repo:$tag\" \\\n -f \"$file\" \\\n --metadata-file target/metadata-\"$name\".json \\\n \"$@\"\n\n echo \"$repo:$tag\"\n}\n\ndocker_pull() {\n repo=$(docker_repo \"$1\")\n tag=$2\n log_debug \" :; docker pull $repo:$tag\"\n docker pull \"$repo:$tag\"\n}\n\ndocker_push() {\n repo=$(docker_repo \"$1\")\n tag=$2\n log_debug \" :; docker push $repo:$tag\"\n docker push \"$repo:$tag\"\n}\n\ndocker_retag() {\n repo=$(docker_repo \"$1\")\n from=$2\n to=$3\n log_debug \" :; docker tag $repo:$from $repo:$to\"\n docker tag \"$repo:$from\" \"$repo:$to\"\n echo \"$repo:$to\"\n}\n\ndocker_rename_registry() {\n tag=$1\n from=$2\n to=$3\n for img in \"${DOCKER_IMAGES[@]}\" ; do\n docker tag \"$from/$img:$tag\" \"$to/$img:$tag\"\n done\n}\n" }, { "path": "bin/_log.sh", "content": "#!/usr/bin/env sh\nset -eu\n\n# build debug logging is disabled by default; enable with BUILD_DEBUG=1\n# shell trace logging is disabled by default; enable with TRACE=1\n\nexport TRACE=\"${TRACE:-}\"\nif [ \"$TRACE\" ]; then\n set -x\nfi\n\nlog_debug() {\n if [ -z \"$TRACE\" ] && [ \"${BUILD_DEBUG:-}\" ]; then\n echo \"$@\" >&2\n fi\n}\n" }, { "path": "bin/_os.sh", "content": "#!/usr/bin/env sh\n\nset -eu\n\nexport OS_ARCH_ALL='linux-amd64 linux-arm64 darwin darwin-arm64 windows'\n\narchitecture() {\n arch=$(uname -m)\n case $arch in\n x86_64)\n arch=amd64\n ;;\n armv8*)\n arch=arm64\n ;;\n aarch64*)\n arch=arm64\n ;;\n amd64|arm64)\n # keep arch as is\n ;;\n *)\n echo \"unsupported architecture: $arch\" >&2\n exit 1\n ;;\n esac\n echo \"$arch\"\n}\n\nos() {\n os=$(uname -s)\n arch=''\n case $os in\n CYGWIN* | MINGW64*)\n os=windows\n ;;\n Darwin)\n os=darwin\n ;;\n Linux)\n os=linux\n arch=$(architecture)\n ;;\n *)\n echo \"unsupported os: $os\" >&2\n exit 1\n ;;\n esac\n\n if [ \"$arch\" ]; then\n echo \"$os-$arch\"\n else\n echo \"$os\"\n fi\n}\n" }, { "path": "bin/_tag.sh", "content": "#!/usr/bin/env bash\n\nset -eu\n\ngit_sha_head() {\n git rev-parse --short=8 HEAD\n}\n\nclean_head() {\n [ \"${CI_FORCE_CLEAN:-}\" ] || git diff-index --quiet HEAD --\n}\n\nnamed_tag() {\n tag=$(git name-rev --tags --name-only \"$(git_sha_head)\")\n tag=${tag%\"^0\"}\n echo \"${tag}\"\n}\n\nhead_root_tag() {\n if clean_head ; then\n clean_head_root_tag\n else\n USER=${USER:-nobody}\n name=${USER//[^[:alnum:].-]/}\n echo \"dev-$(git_sha_head)-$name\"\n fi\n}\n\nclean_head_root_tag() {\n if clean_head ; then\n if [ \"$(named_tag)\" != undefined ]; then\n named_tag\n else\n echo \"git-$(git_sha_head)\"\n fi\n else\n echo 'Commit unstaged changes.' >&2\n exit 3\n fi\n}\n" }, { "path": "bin/_test-helpers.sh", "content": "#!/usr/bin/env bash\n\n# Override CI's `set -e` default, so we can catch errors manually and display\n# proper messages\nset +e\n\nk8s_version_min='+v1.23'\nk8s_version_max='docker.io/rancher/k3s:v1.31.5-k3s1'\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\ntestdir=$bindir/../test/integration\n\n##### Test setup helpers #####\n\nexport default_test_names=(deep deep-native-sidecar viz tracing external helm-upgrade uninstall upgrade-edge default-policy-deny rsa-ca)\nexport external_resource_test_names=(external-resources)\n# TODO(alpeb): add test cni-calico-deep-dual-stack\nexport dual_stack_test_names=(deep-dual-stack)\nexport all_test_names=(cluster-domain cni-calico-deep multicluster \"${default_test_names[*]}\" \"${external_resource_test_names[*]}\" \"${dual_stack_test_names[*]}\")\nimages_load_default=(proxy controller web metrics-api tap)\n\ntests_usage() {\n progname=${0##*/}\n echo \"Run Linkerd integration tests.\n\nOptionally specify a test with the --name flag: [${all_test_names[*]}]\n\nNote: The cluster-domain, deep-native-sidecar cni-calico-deep and multicluster tests require a custom cluster configuration (see bin/_test-helpers.sh)\n\nUsage:\n ${progname} [--images docker|archive|skip] [--name test-name] [--skip-cluster-create] /path/to/linkerd\n\nExamples:\n # Run all tests in isolated clusters\n ${progname} /path/to/linkerd\n\n # Run single test in isolated clusters\n ${progname} --name test-name /path/to/linkerd\n\n # Skip k3d cluster creation and run all tests in default cluster context\n ${progname} --skip-cluster-create /path/to/linkerd\n\n # Load images from tar files located under the 'image-archives' directory\n # Note: This is primarily for CI\n ${progname} --images archive /path/to/linkerd\n\nAvailable Commands:\n --name: the argument to this option is the specific test to run\n --skip-cluster-create: skip k3d cluster creation step and run tests in an existing cluster\n --skip-cluster-delete: if the tests succeed, don't delete the created resources nor the cluster\n --images: set to 'docker' (default) to load images into the cluster from the local docker cache;\n set to 'preload' to also load them from the local docker cache, after having pulled them from\n a public registry (appears to be faster than having k3d pulling them itself);\n set to 'archive' to load the images from tar files located under the image-archives directory\n --cleanup-docker: delete the 'images-archive' directory and prune the docker cache\"\n}\n\ncleanup_usage() {\n progname=${0##*/}\n echo \"Cleanup Linkerd integration tests.\n\nUsage:\n ${progname} [--context k8s_context] /path/to/linkerd\n\nExamples:\n # Cleanup tests in non-default context\n ${progname} --context k8s_context /path/to/linkerd\n\nAvailable Commands:\n --context: use a non-default k8s context\"\n}\n\nhandle_tests_input() {\n export images=docker\n export test_name=''\n export skip_cluster_create=''\n export skip_cluster_delete=''\n export cleanup_docker=''\n export linkerd_path=''\n\n while [ $# -ne 0 ]; do\n case $1 in\n -h|--help)\n tests_usage \"$0\"\n exit 0\n ;;\n --images)\n images=$2\n if [ -z \"$images\" ]; then\n echo 'Error: the argument for --images was not specified' >&2\n tests_usage \"$0\" >&2\n exit 64\n fi\n if [[ $images != 'docker' && $images != 'archive' && $images != 'preload' ]]; then\n echo 'Error: the argument for --images was invalid' >&2\n tests_usage \"$0\" >&2\n exit 64\n fi\n shift\n shift\n ;;\n --name)\n test_name=$2\n if [ -z \"$test_name\" ]; then\n echo 'Error: the argument for --name was not specified' >&2\n tests_usage \"$0\" >&2\n exit 64\n fi\n shift\n shift\n ;;\n --skip-cluster-create)\n skip_cluster_create=1\n shift\n ;;\n --skip-cluster-delete)\n skip_cluster_delete=1\n shift\n ;;\n --cleanup-docker)\n cleanup_docker=1\n shift\n ;;\n *)\n if echo \"$1\" | grep -q '^-.*' ; then\n echo \"Unexpected flag: $1\" >&2\n tests_usage \"$0\" >&2\n exit 64\n fi\n if [ \"$linkerd_path\" ]; then\n echo 'Multiple linkerd paths specified:' >&2\n echo \" $linkerd_path\" >&2\n echo \" $1\" >&2\n tests_usage \"$0\" >&2\n exit 64\n fi\n linkerd_path=$(realpath \"$1\")\n shift\n ;;\n esac\n done\n\n if [ -z \"$linkerd_path\" ]; then\n echo 'Error: path to linkerd binary is required' >&2\n tests_usage \"$0\" >&2\n exit 64\n fi\n\n if [ -z \"$test_name\" ] && [ \"$skip_cluster_delete\" ]; then\n echo 'Error: must provide --name when using --skip-cluster-delete' >&2\n tests_usage \"$0\" >&2\n exit 64\n fi\n}\n\nhandle_cleanup_input() {\n export k8s_context=''\n export linkerd_path=''\n\n while [ $# -ne 0 ]; do\n case $1 in\n -h|--help)\n cleanup_usage \"$0\"\n exit 0\n ;;\n --context)\n k8s_context=$2\n shift\n shift\n ;;\n *)\n if echo \"$1\" | grep -q '^-.*' ; then\n echo \"Unexpected flag: $1\" >&2\n cleanup_usage \"$0\" >&2\n exit 64\n fi\n if [ \"$linkerd_path\" ]; then\n echo 'Multiple linkerd paths specified:' >&2\n echo \" $linkerd_path\" >&2\n echo \" $1\" >&2\n cleanup_usage \"$0\" >&2\n exit 64\n fi\n linkerd_path=$1\n shift\n ;;\n esac\n done\n\n if [ -z \"$linkerd_path\" ]; then\n echo 'Error: path to linkerd binary is required' >&2\n cleanup_usage \"$0\" >&2\n exit 64\n fi\n}\n\ncheck_linkerd_binary() {\n printf 'Checking the linkerd binary...'\n if [ ! -x \"$linkerd_path\" ]; then\n printf '\\n[%s] does not exist or is not executable\\n' \"$linkerd_path\"\n exit 1\n fi\n exit_code=0\n \"$linkerd_path\" version --client > /dev/null 2>&1\n exit_on_err 'error running linkerd version command'\n echo '[ok]'\n}\n\n##### Cluster helpers #####\n\ncheck_cluster() {\n check_if_k8s_reachable\n kubectl version\n check_if_l5d_exists\n}\n\ndelete_cluster() {\n local name=$1\n \"$bindir\"/k3d cluster delete \"$name\" 2>&1\n exit_on_err 'error deleting cluster'\n}\n\ncleanup_cluster() {\n \"$bindir\"/test-cleanup \"$linkerd_path\" > /dev/null 2>&1\n exit_on_err 'error removing existing Linkerd resources'\n}\n\nsetup_min_cluster() {\n local name=$1\n export helm_path=$bindir/helm\n\n check_linkerd_binary\n if [ -z \"$skip_cluster_create\" ]; then\n \"$bindir\"/k3d cluster create \"$@\" --image \"$k8s_version_min\"\n image_load \"$name\"\n fi\n check_cluster\n}\n\nsetup_cluster() {\n local name=$1\n export helm_path=$bindir/helm\n\n check_linkerd_binary\n if [ -z \"$skip_cluster_create\" ]; then\n \"$bindir\"/k3d cluster create \"$@\"\n image_load \"$name\"\n fi\n check_cluster\n}\n\nfinish() {\n if [ -z \"$skip_cluster_delete\" ]; then\n local name=$1\n if [ -z \"$skip_cluster_create\" ]; then\n delete_cluster \"$name\"\n else\n cleanup_cluster\n fi\n fi\n}\n\ncheck_if_k8s_reachable() {\n printf 'Checking if there is a Kubernetes cluster available...'\n exit_code=0\n kubectl --context=\"$context\" --request-timeout=5s get ns > /dev/null 2>&1\n exit_on_err 'error connecting to Kubernetes cluster'\n echo '[ok]'\n}\n\ncheck_if_l5d_exists() {\n printf 'Checking if Linkerd resources exist on cluster...'\n local resources\n resources=$(kubectl --context=\"$context\" get all,clusterrole,clusterrolebinding,mutatingwebhookconfigurations,validatingwebhookconfigurations,crd -l linkerd.io/control-plane-ns --all-namespaces -oname)\n if [ \"$resources\" ]; then\n printf '\nLinkerd resources exist on cluster:\n\\n%s\\n\nHelp:\n Run: [%s/test-cleanup] ' \"$resources\" \"$linkerd_path\"\n exit 1\n fi\n echo '[ok]'\n}\n\n##### Test runner helpers #####\n\nimage_load() {\n cluster_name=$1\n images_load=(\"${images_load_default[@]}\")\n case $images in\n docker)\n \"$bindir\"/image-load --k3d --cluster \"$cluster_name\" \"${images_load[@]}\"\n exit_on_err \"error calling '$bindir/image-load'\"\n ;;\n preload)\n \"$bindir\"/image-load --k3d --cluster \"$cluster_name\" --preload \"${images_load[@]}\"\n exit_on_err \"error calling '$bindir/image-load'\"\n ;;\n archive)\n \"$bindir\"/image-load --k3d --archive --cluster \"$cluster_name\" \"${images_load[@]}\"\n exit_on_err \"error calling '$bindir/image-load'\"\n ;;\n esac\n}\n\nstart_test() {\n local name=$1\n local config=(--k3s-arg '--disable=local-storage,metrics-server@server:0')\n\n case $name in\n cluster-domain)\n config=(\"$name\" \"${config[@]}\" --no-lb --k3s-arg --cluster-domain=custom.domain --k3s-arg '--disable=servicelb,traefik@server:0' --image \"$k8s_version_max\")\n ;;\n cni-calico-deep)\n config=(\"$name\" \"${config[@]}\" --no-lb --k3s-arg --write-kubeconfig-mode=644 --k3s-arg --flannel-backend=none --k3s-arg --cluster-cidr=192.168.0.0/16 --k3s-arg '--disable=servicelb,traefik@server:0')\n ;;\n multicluster)\n config=(\"${config[@]}\" --network multicluster-test --image \"$k8s_version_max\")\n ;;\n *)\n config=(\"$name\" \"${config[@]}\" --no-lb --k3s-arg '--disable=servicelb,traefik@server:0' --image \"$k8s_version_max\")\n ;;\n esac\n\n if [ \"$name\" = 'multicluster' ]; then\n start_multicluster_test \"${config[@]}\"\n else\n start_single_test \"${config[@]}\"\n fi\n}\n\nstart_single_test() {\n name=$1\n if [ \"$name\" = 'helm-deep' ]; then\n setup_min_cluster \"$@\"\n else\n setup_cluster \"$@\"\n fi\n if [ \"$cleanup_docker\" ]; then\n rm -rf image-archives\n docker system prune --force --all\n fi\n run_\"$name\"_test\n exit_on_err \"error calling 'run_${name}_test'\"\n finish \"$name\"\n}\n\nstart_multicluster_test() {\n setup_cluster source \"$@\"\n setup_cluster target \"$@\"\n if [ \"$cleanup_docker\" ]; then\n rm -rf image-archives\n docker system prune --force --all\n fi\n run_multicluster_test\n exit_on_err \"error calling 'run_multicluster_test'\"\n export context='k3d-source'\n finish source\n export context='k3d-target'\n finish target\n}\n\nrun_test(){\n local filename=$1\n shift\n\n printf 'Test script: [%s] Params: [%s]\\n' \"${filename##*/}\" \"$*\"\n timeout=\"${TEST_TIMEOUT:-15m}\"\n # Exit on failure here\n GO111MODULE=on go test -v -test.timeout=\"$timeout\" --failfast --mod=readonly \"$filename\" \\\n --linkerd=\"$linkerd_path\" \\\n --helm-path=\"$helm_path\" \\\n --default-inbound-policy=\"$default_inbound_policy\" \\\n --k8s-context=\"$context\" \\\n --integration-tests \"$@\"\n}\n\n# Returns the latest version for the release channel\n# $1: release channel to check\nlatest_release_channel() {\n \"$bindir\"/scurl https://versioncheck.linkerd.io/version.json | grep -o \"$1-[0-9]*.[0-9]*.[0-9]*\"\n}\n\n# Run the upgrade-edge test by upgrading the most-recent edge release to the\n# HEAD of this branch.\nrun_upgrade-edge_test() {\n run_test \"$testdir/upgrade-edge/...\"\n}\n\nrun_viz_test() {\n run_test \"$testdir/viz/...\"\n}\n\nsetup_helm() {\n export helm_path=\"$bindir\"/helm\n helm_charts=\"$( cd \"$bindir\"/.. && pwd )\"/charts\n export helm_charts\n export helm_release_name='helm-test'\n export helm_multicluster_release_name='multicluster-test'\n \"$bindir\"/helm-build\n \"$helm_path\" --kube-context=\"$context\" repo add linkerd https://helm.linkerd.io/edge\n exit_on_err 'error setting up Helm'\n}\n\nhelm_cleanup() {\n (\n set -e\n \"$helm_path\" --kube-context=\"$context\" --namespace linkerd-multicluster delete \"$helm_multicluster_release_name\" || true\n kubectl delete ns/linkerd-multicluster || true\n \"$helm_path\" --kube-context=\"$context\" --namespace linkerd-viz delete \"$helm_release_name-l5d-viz\" || true\n kubectl delete ns/linkerd-viz || true\n \"$helm_path\" --kube-context=\"$context\" --namespace linkerd delete \"$helm_release_name-control-plane\" || true\n \"$helm_path\" --kube-context=\"$context\" --namespace linkerd delete \"$helm_release_name-crds\" || true\n kubectl delete ns/linkerd\n )\n exit_on_err 'error cleaning up Helm'\n}\n\nrun_helm-upgrade_test() {\n local edge_version\n edge_version=$(latest_release_channel 'edge')\n\n if [ -z \"$edge_version\" ]; then\n echo 'error getting edge_version'\n exit 1\n fi\n\n setup_helm\n helm_viz_chart=$( cd \"$bindir\"/.. && pwd )/viz/charts/linkerd-viz\n run_test \"$testdir/install/install_test.go\" --helm-path=\"$helm_path\" --helm-charts=\"$helm_charts\" \\\n --viz-helm-chart=\"$helm_viz_chart\" --viz-helm-stable-chart=\"linkerd/linkerd-viz\" --helm-release=\"$helm_release_name\" --upgrade-helm-from-version=\"$edge_version\"\n helm_cleanup\n}\n\nrun_uninstall_test() {\n run_test \"$testdir/install/uninstall/uninstall_test.go\" --uninstall=true\n}\n\nrun_multicluster_test() {\n run_test \"$testdir/multicluster/...\"\n}\n\nrun_deep_test() {\n run_test \"$testdir/deep/...\"\n}\n\nrun_deep-native-sidecar_test() {\n run_test \"$testdir/deep/...\" --native-sidecar\n}\n\nrun_deep-dual-stack_test() {\n run_test \"$testdir/deep/...\" --dual-stack\n}\n\nrun_default-policy-deny_test() {\n export default_inbound_policy='deny'\n run_test \"$testdir/install/...\"\n}\n\nrun_cni-calico-deep_test() {\n run_test \"$testdir/deep/...\" --cni\n}\n\nrun_rsa-ca_test() {\n run_test \"$testdir/rsa-ca/...\"\n}\n\nrun_tracing_test() {\n run_test \"$testdir/tracing/...\"\n}\n\nrun_external_test() {\n run_test \"$testdir/external/...\"\n}\n\nrun_cluster-domain_test() {\n run_test \"$testdir/install/...\" --cluster-domain='custom.domain'\n}\n\n# exit_on_err should be called right after a command to check the result status\n# and eventually generate a GitHub error annotation. Do not use after calls to\n# `go test` as that generates its own annotations. Note this should be called\n# outside subshells in order for the script to terminate.\nexit_on_err() {\n exit_code=$?\n if [ $exit_code -ne 0 ]; then\n export GH_ANNOTATION=${GH_ANNOTATION:-}\n if [ \"$GH_ANNOTATION\" ]; then\n printf '::error::%s\\n' \"$1\"\n else\n printf '\\n=== FAIL: %s\\n' \"$1\"\n fi\n exit $exit_code\n fi\n}\n" }, { "path": "bin/build-cli-bin", "content": "#!/usr/bin/env sh\n\nset -eu\n\n# Builds CLI binary for current platform. Suitable for local development.\n# Note: This script is used by Brew when running `brew install linkerd`:\n# https://github.com/Homebrew/homebrew-core/blob/main/Formula/l/linkerd.rb\n\nbindir=$( cd \"${0%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n# shellcheck source=_tag.sh\n. \"$bindir\"/_tag.sh\n# shellcheck source=_os.sh\n. \"$bindir\"/_os.sh\n\n(\n cd \"$rootdir\"\n cd \"$(pwd -P)\"\n target=target/cli/$(os)/linkerd\n\n root_tag=$(\"$bindir\"/root-tag)\n GO111MODULE=on CGO_ENABLED=0 go build -o \"$target\" -tags prod -mod=readonly -ldflags \"-s -w -X github.com/linkerd/linkerd2/pkg/version.Version=$root_tag\" ./cli\n echo \"$target\"\n)\n" }, { "path": "bin/certs-openssl", "content": "#!/usr/bin/env sh\n\nset -eu\n\n# Creates the root and issuer (intermediary) self-signed certificates for the control plane using openssl.\n#\n# For instructions on doing this with step-cli, check https://linkerd.io/2/tasks/generate-certificates\n\n# Generate CA config\ncat > ca.cnf << EOF\n[ req ]\ndistinguished_name=dn\nprompt = no\n[ ext ]\nbasicConstraints = CA:TRUE\nkeyUsage = digitalSignature, keyCertSign, cRLSign\n[ dn ]\nCN = identity.linkerd.cluster.local\nEOF\n\n# Generate CA key\nopenssl ecparam -out ca.key -name prime256v1 -genkey -noout\n\n# Generate CA cert\nopenssl req -key ca.key -new -x509 -days 7300 -sha256 -out ca.crt -config ca.cnf -extensions ext\n\n# Generate the intermediate issuer key\nopenssl ecparam -out issuer.key -name prime256v1 -genkey -noout\n\n# Generate the intermediate issuer csr and cert\nopenssl req -new -sha256 -key issuer.key -out issuer.csr -config ca.cnf\nopenssl x509 -sha256 -req -in issuer.csr -out issuer.crt -CA ca.crt -CAkey ca.key -days 7300 -extfile ca.cnf -extensions ext -CAcreateserial\n" }, { "path": "bin/compute-edge-version", "content": "#!/usr/bin/env bash\n\n# This script bumps the patch version of all charts\n\nset -euo pipefail\nshopt -s globstar\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\n\n# shellcheck source=_tag.sh\n. \"$bindir\"/_tag.sh\ntag=$(named_tag)\n\nedge_tag_regex='edge-([0-9][0-9]).([0-9]|[0-9][0-9]).([0-9]+)'\n\n# Get the current edge version.\nurl=https://run.linkerd.io/install-edge\ncurrent_edge=$(\"$bindir\"/scurl $url | awk -v tag_format=\"$edge_tag_regex\" '$0 ~ tag_format')\n\ncurrent_mm=$(echo \"$current_edge\" | sed -n -E \"s/.*$edge_tag_regex}$/\\2/p\")\ncurrent_xx=$(echo \"$current_edge\" | sed -n -E \"s/.*$edge_tag_regex}$/\\3/p\")\nyy=$(date +\"%y\")\nyyyy=$(date +\"%Y\")\nnew_mm=$(date +\"%-m\")\n\n# If this is a new month, `new_xx` should be 1; otherwise increment it.\nif [ \"$new_mm\" != \"$current_mm\" ]; then\n new_xx=1\nelse\n new_xx=$((current_xx+1))\nfi\n\nexpected_tag=\"edge-$yy.$new_mm.$new_xx\"\n\nif [ \"$tag\" != \"$expected_tag\" ]; then\n echo \"Tag ($tag) doesn't match computed edge version ($expected_tag)\"\n exit 1\nfi\n\n[[ \"${1:-}\" == \"update-charts\" ]] || exit 0\n\nnew_version=\"$yyyy.$new_mm.$new_xx\"\n\nfor chart in **/Chart.yaml; do\n if [[ \"$chart\" =~ \"partials\" || \"$chart\" =~ \"patch\" || \"$chart\" =~ \"multicluster-link\" ]]; then\n continue\n fi\n\n echo \"Bumping $chart to $new_version\"\n yq -i \".version = \\\"$new_version\\\"\" \"$chart\"\ndone\n" }, { "path": "bin/docker", "content": "#!/usr/bin/env sh\n\nset -eu\n\ndockerversion=19.03.1\n\nbindir=$( cd \"${0%/*}\" && pwd )\ntargetbin=$( cd \"$bindir\"/.. && pwd )/target/bin\ndockerbin=$targetbin/.docker-$dockerversion\n\nif [ ! -f \"$dockerbin\" ]; then\n filename=docker-$dockerversion.tgz\n if [ \"$(uname -s)\" = Darwin ]; then\n os=mac\n else\n os=linux\n fi\n\n url=https://download.docker.com/$os/static/stable/x86_64/$filename\n tmp=$(mktemp -d -t docker.XXX)\n mkdir -p \"$targetbin\"\n (\n cd \"$tmp\"\n \"$bindir\"/scurl -o ./docker.tar.gz \"$url\"\n tar zf ./docker.tar.gz -x docker/docker\n )\n mv \"$tmp/docker/docker\" \"$dockerbin\"\n rm -rf \"$tmp\"\nfi\n\n\"$dockerbin\" \"$@\"\n" }, { "path": "bin/docker-build", "content": "#!/usr/bin/env sh\n\nset -eu\n\nif [ $# -ne 0 ]; then\n echo \"no arguments allowed for ${0##*/}, given: $*\" >&2\n exit 64\nfi\n\nbindir=$( cd \"${0%/*}\" && pwd )\n\n\"$bindir\"/docker-build-proxy\n\"$bindir\"/docker-build-controller\n\"$bindir\"/docker-build-web\n\"$bindir\"/docker-build-debug\n\"$bindir\"/docker-build-metrics-api\n\"$bindir\"/docker-build-tap\n" }, { "path": "bin/docker-build-cli-bin", "content": "#!/usr/bin/env bash\n\nset -eu\n\nif [ $# -ne 0 ]; then\n echo \"no arguments allowed for ${0##*/}, given: $*\" >&2\n exit 64\nfi\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\n# shellcheck source=_tag.sh\n. \"$bindir\"/_tag.sh\n\ndockerfile=$rootdir/cli/Dockerfile\n\n# shellcheck disable=SC2046\ndocker_build cli-bin \"${TAG:-$(head_root_tag)}\" \"$dockerfile\" \\\n --build-arg LINKERD_VERSION=\"${TAG:-$(head_root_tag)}\" \\\n --target=\"$DOCKER_TARGET\"\n\nIMG=$(docker_repo cli-bin):${TAG:-$(head_root_tag)}\nID=$(docker create \"$IMG\")\n\n# copy the newly built linkerd cli binaries to the local system\nOS=$DOCKER_TARGET\nif [ \"$DOCKER_TARGET\" = 'multi-arch' ]; then\n OS=$OS_ARCH_ALL\nfi\nfor OS in $OS; do\n DIR=$rootdir/target/cli/$OS\n mkdir -p \"$DIR\"\n\n # only copy if available\n (docker cp \"$ID:/out/linkerd-${OS}\" \"$DIR/linkerd\" 2> /dev/null) && echo \"$DIR/linkerd\"\ndone\n\ndocker rm \"$ID\" >/dev/null\n" }, { "path": "bin/docker-build-controller", "content": "#!/usr/bin/env bash\n\nset -eu\n\nif [ $# -ne 0 ]; then\n echo \"no arguments allowed for ${0##*/}, given: $*\" >&2\n exit 64\nfi\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\n# shellcheck source=_tag.sh\n. \"$bindir\"/_tag.sh\n\ndocker_build controller \"${TAG:-$(head_root_tag)}\" \"$rootdir/Dockerfile.controller\" --build-arg LINKERD_VERSION=\"${TAG:-$(head_root_tag)}\"\n" }, { "path": "bin/docker-build-debug", "content": "#!/usr/bin/env bash\n\nset -eu\n\nif [ $# -ne 0 ]; then\n echo \"no arguments allowed for ${0##*/}, given: $*\" >&2\n exit 64\nfi\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\n# shellcheck source=_tag.sh\n. \"$bindir\"/_tag.sh\n\ndockerfile=$rootdir/Dockerfile-debug\n\ndocker_build debug \"${TAG:-$(head_root_tag)}\" \"$dockerfile\"\n" }, { "path": "bin/docker-build-metrics-api", "content": "#!/usr/bin/env bash\n\nset -eu\n\nif [ $# -ne 0 ]; then\n echo \"no arguments allowed for ${0##*/}, given: $*\" >&2\n exit 64\nfi\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\n# shellcheck source=_tag.sh\n. \"$bindir\"/_tag.sh\n\ndockerfile=$rootdir/viz/metrics-api/Dockerfile\ndocker_build metrics-api \"${TAG:-$(head_root_tag)}\" \"$dockerfile\"\n\n" }, { "path": "bin/docker-build-proxy", "content": "#!/usr/bin/env bash\n\nset -eu\n\napko_version=v0.30.13\n\nif [ $# -ne 0 ]; then\n echo \"no arguments allowed for ${0##*/}, given: $*\" >&2\n exit 64\nfi\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\n# shellcheck source=_tag.sh\n. \"$bindir\"/_tag.sh\n# shellcheck source=_os.sh\n. \"$bindir\"/_os.sh\n\ndockerfile=$rootdir/Dockerfile.proxy\nruntime_image=\"${RUNTIME_IMAGE:-\"cr.l5d.io/linkerd/proxy-runtime:${TAG:-$(head_root_tag)}\"}\"\n\nget_extra_options() {\n options=\n for var in http_proxy https_proxy no_proxy; do\n [ -z \"${!var:-}\" ] || options=\"$options --build-arg '$var=${!var}'\"\n done\n echo \"$options\"\n}\n\n# Build proxy base image with apko\ngo install chainguard.dev/apko@$apko_version\nexport PATH=$PATH:$(go env GOPATH)/bin\n# Add --local flag unless PUSH_RUNTIME_IMAGE is set\napko build \"$rootdir/proxy-runtime.yml\" \"$runtime_image\" \"$rootdir/proxy-runtime.tar\"\ndocker load < \"$rootdir/proxy-runtime.tar\"\nif [[ -n \"${PUSH_RUNTIME_IMAGE:-}\" ]]; then\n for arch in \"arm64\" \"amd64\"; do\n docker push \"$runtime_image-$arch\"\n done\nfi\n\n# We want wordsplit for the extra options here:\n# shellcheck disable=SC2046\ndocker_build proxy \"${TAG:-$(head_root_tag)}\" \"$dockerfile\" \\\n --build-arg RUNTIME_IMAGE=\"$runtime_image\" \\\n --build-arg LINKERD_VERSION=\"${TAG:-$(head_root_tag)}\" \\\n --build-arg LINKERD2_PROXY_REPO=\"${LINKERD2_PROXY_REPO:-linkerd/linkerd2-proxy}\" \\\n --build-arg LINKERD2_PROXY_VERSION=\"${LINKERD2_PROXY_VERSION:-$(cat .proxy-version)}\" \\\n --secret id=github,env=LINKERD2_PROXY_GITHUB_TOKEN \\\n $(get_extra_options)\n" }, { "path": "bin/docker-build-tap", "content": "#!/usr/bin/env bash\n\nset -eu\n\nif [ $# -ne 0 ]; then\n echo \"no arguments allowed for ${0##*/}, given: $*\" >&2\n exit 64\nfi\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\n# shellcheck source=_tag.sh\n. \"$bindir\"/_tag.sh\n\ndockerfile=$rootdir/viz/tap/Dockerfile\ndocker_build tap \"${TAG:-$(head_root_tag)}\" \"$dockerfile\"\n" }, { "path": "bin/docker-build-web", "content": "#!/usr/bin/env bash\n\nset -eu\n\nif [ $# -ne 0 ]; then\n echo \"no arguments allowed for ${0##*/}, given: $*\" >&2\n exit 64\nfi\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\n# shellcheck source=_tag.sh\n. \"$bindir\"/_tag.sh\n\ndockerfile=$rootdir/web/Dockerfile\ndocker_build web \"${TAG:-$(head_root_tag)}\" \"$dockerfile\" --build-arg LINKERD_VERSION=\"${TAG:-$(head_root_tag)}\"\n" }, { "path": "bin/docker-pull", "content": "#!/usr/bin/env bash\n\nset -eu\n\nif [ $# -eq 1 ]; then\n tag=${1:-}\nelse\n echo \"usage: ${0##*/} tag\" >&2\n exit 64\nfi\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\n\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\n\nfor img in \"${DOCKER_IMAGES[@]}\"; do\n docker_pull \"$img\" \"$tag\"\ndone\n" }, { "path": "bin/docker-push", "content": "#!/usr/bin/env bash\n\nset -eu\n\nif [ $# -eq 1 ]; then\n tag=${1:-}\nelse\n echo \"usage: ${0##*/} tag\" >&2\n exit 64\nfi\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\n\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\n\nfor img in \"${DOCKER_IMAGES[@]}\"; do\n docker_push \"$img\" \"$tag\"\ndone\n" }, { "path": "bin/docker-retag-all", "content": "#!/usr/bin/env bash\n\nset -eu\n\nif [ $# -ne 2 ]; then\n echo \"usage: ${0##*/} from-tag to-tag\" >&2\n exit 64\nfi\nfrom=$1\nto=$2\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\n\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\nfor img in \"${DOCKER_IMAGES[@]}\" ; do\n docker_retag \"$img\" \"$from\" \"$to\"\ndone\n" }, { "path": "bin/docker-test-proxy", "content": "#!/usr/bin/env bash\n\nset -eu\n\nexport RUST_LOG=${RUST_LOG:-}\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\ndocker build -f \"$rootdir/proxy/Dockerfile\" . \\\n --target build \\\n -t proxy-build \\\n --build-arg=PROXY_UNOPTIMIZED=1\ndocker run --rm -it proxy-build env RUST_LOG=\"$RUST_LOG\" cargo test \"$@\"\n" }, { "path": "bin/fetch-proxy", "content": "#!/usr/bin/env sh\n\n# If the first argument to this script is \"latest\" or unset, it fetches the\n# latest proxy binary from the linkerd2-proxy github releases. If it's set to\n# a linkerd2-proxy version number (such as v2.76.0), it will fetch the binary\n# matching that version number instead.\n\nset -eu\n\nbindir=$( cd \"${0%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\nbuilddir=$rootdir/target/proxy\n\nproxy_repo=${LINKERD2_PROXY_REPO:-}\nif [ -z \"$proxy_repo\" ]; then\n proxy_repo=linkerd/linkerd2-proxy\nfi\n\nreleases_url=https://api.github.com/repos/\"$proxy_repo\"/releases\n\ngithub_token=${GITHUB_TOKEN:-}\nif [ -z \"$github_token\" ] && [ -n \"${GITHUB_TOKEN_FILE:-}\" ] && [ -f \"$GITHUB_TOKEN_FILE\" ]; then\n github_token=$(cat \"$GITHUB_TOKEN_FILE\")\nfi\n\nghcurl() {\n if [ -n \"${github_token:-}\" ]; then\n \"$bindir\"/scurl -H \"Authorization: Bearer ${github_token:-}\" \"$@\"\n else\n \"$bindir\"/scurl \"$@\"\n fi\n}\n\nmkdir -p \"$builddir\"\ncd \"$builddir\"\n\nversion=${1:-latest}\narch=${2:-amd64}\n\nif ! ghcurl \"$releases_url\" | jq '.[] | select(.name == \"'\"$version\"'\")' > release.json ; then\n echo \"Failed to fetch $releases_url\" >&2\n exit 1\nfi\n\npkgname_legacy=linkerd2-proxy-${version}-${arch}\npkgname_os=linkerd2-proxy-${version}-linux-${arch}\n\n# First try to find the Linux-specific package in the release assets\nif jq -e '.assets[] | select(.name == \"'\"${pkgname_os}.tar.gz\"'\")' release.json > /dev/null; then\n pkgname=$pkgname_os\nelse\n # Fall back to the legacy package name\n if jq -e '.assets[] | select(.name == \"'\"${pkgname_legacy}.tar.gz\"'\")' release.json > /dev/null; then\n pkgname=$pkgname_legacy\n else\n echo \"Neither ${pkgname_os}.tar.gz nor ${pkgname_legacy}.tar.gz found in release assets\" >&2\n exit 1\n fi\nfi\n\npkgfile=${pkgname}.tar.gz\npkgurl=$(jq -r '.assets[] | select(.name == \"'\"$pkgfile\"'\") | .url' release.json)\nif ! ghcurl -H 'Accept: application/octet-stream' -o \"$pkgfile\" \"$pkgurl\" ; then\n echo \"Failed to fetch $pkgurl\" >&2\n exit 1\nfi\n\nshafile=${pkgname}.txt\nshaurl=$(jq -r '.assets[] | select(.name == \"'\"$shafile\"'\") | .url' release.json)\nif ! ghcurl -H 'Accept: application/octet-stream' -o \"$shafile\" \"$shaurl\" ; then\n echo \"Failed to fetch $shaurl\" >&2\n exit 1\nfi\n\ntar -zxvf \"$pkgfile\" >&2\nexpected=$(awk '{print $1}' \"$shafile\")\nif [ \"$(uname)\" = \"Darwin\" ]; then\n computed=$(openssl dgst -sha256 \"$pkgfile\" | awk '{print $2}')\nelse\n computed=$(sha256sum \"$pkgfile\" | awk '{print $1}')\nfi\nif [ \"$computed\" != \"$expected\" ]; then\n echo 'sha mismatch' >&2\n exit 1\nfi\n\nmv \"$pkgname/LICENSE\" .\nmv \"$pkgname/linkerd2-proxy\" .\nrm -r \"$pkgfile\" \"$pkgname\"\nmv linkerd2-proxy \"$pkgname\"\necho \"$builddir/$pkgname\"\n" }, { "path": "bin/fmt", "content": "#!/usr/bin/env bash\n\nset -u\n\nwhile IFS= read -r line; do dirs+=(\"$line\"); done <<< \"$(go list -f \\{\\{.Dir\\}\\} ./...)\"\n\n# go list will list all subdirectories and goimports acts recursively. This\n# results in certain files being reported multiple time. Therefore, we must\n# dedup them. We also ignore protobuf auto-generated code.\nfiles=()\nwhile IFS= read -r line; do files+=(\"$line\"); done <<< \"$(bin/goimports -l \"${dirs[@]}\" | sort -u | grep -v pb.go | grep -v gogen.go | grep -v /controller/gen )\"\n\nif [[ ${files[*]} ]]; then\n for file in \"${files[@]}\"; do\n bin/goimports -d \"$@\" \"$file\"\n done\n exit 64\nfi\n" }, { "path": "bin/go-mod-tree", "content": "#!/usr/bin/env bash\n\n# Print all (transitive) dependencies of the specified go package.\n\nset -euo pipefail\n\nif [ $# -gt 1 ]; then\n echo \"Usage: $0 [root]\" >&2\n exit 64\nfi\ndeclare -r MODULE=${1:-github.com/linkerd/linkerd2}\n\nGRAPH=$(go mod graph)\ndeclare -r GRAPH\n\ndeps_of() {\n local pkg=$1\n echo \"$GRAPH\" | awk '$1 == \"'\"$pkg\"'\" { print $2 }' | sort | uniq\n}\n\ndeclare -A PKGS=()\nsubtree() {\n local pkg=$1\n local namepfx=${2:-}\n local pfx=${3:-}\n # If the package has already been printed, then print it with an\n # asterisk and skip printing its dependencies\n if (( ${PKGS[$pkg]:-0} )); then\n echo \"$namepfx$pkg (*)\"\n else\n # Otherwise, print the package, mark it as printed, and the\n # dependency tree for each of its depndencies\n echo \"$namepfx$pkg\"\n PKGS[$pkg]=1\n local dep=''\n for d in $(deps_of \"$pkg\") ; do\n if [ -n \"$dep\" ]; then subtree \"$dep\" \"$pfx├── \" \"$pfx│ \" ; fi\n dep=$d\n done\n if [ -n \"$dep\" ]; then subtree \"$dep\" \"$pfx└── \" \"$pfx \" ; fi\n fi\n}\n\nif [[ \"$MODULE\" == *@* ]]; then\n # The root specifies an exact version, so print its dependencies.\n subtree \"$MODULE\"\nelif [ -n \"$(echo \"$GRAPH\" | awk '$1 == \"'\"$MODULE\"'\" { print $0 }' | head -n 1)\" ]; then\n # The root does not specify an exact version, but that is how the\n # package is listed in go.mod.\n subtree \"$MODULE\"\nelse\n # The root does not specify an exact version, find all versions of the\n # package and print their depdencies.\n first=1\n for pkg in $(echo \"$GRAPH\" | awk '{ print $1 }' | sort | uniq) ; do\n if [ \"${pkg%@*}\" = \"$MODULE\" ]; then\n if (( first )); then first=0; else echo; fi\n subtree \"$pkg\"\n fi\n done\nfi\n" }, { "path": "bin/go-mod-versions", "content": "#!/usr/bin/env bash\n\n# Print all versions of the specified go package.\n\nset -euo pipefail\n\nif [ $# -ne 1 ]; then\n echo \"Usage: $0 \" >&2\n exit 64\nfi\ndeclare -r MODULE=$1\n\nif [[ \"$MODULE\" == *@* ]]; then\n echo 'The dependency must not specify an exact version.' >&2\n exit 1\nfi\n\nfor pkg in $(go mod graph | awk '{ print $1; print $2 }' | sort | uniq) ; do\n if [ \"${pkg%@*}\" = \"$MODULE\" ]; then\n echo \"$pkg\"\n fi\ndone\n\n" }, { "path": "bin/go-mod-why", "content": "#!/usr/bin/env bash\n\n# Print all (transitive) dependenents of the specified go package.\n\nset -euo pipefail\n\nif [ $# -ne 1 ]; then\n echo \"Usage: $0 \" >&2\n exit 64\nfi\ndeclare -r MODULE=$1\n\nGRAPH=$(go mod graph)\ndeclare -r GRAPH\n\ndepends_on() {\n local pkg=$1\n echo \"$GRAPH\" | awk '$2 == \"'\"$pkg\"'\" { print $1 }' | sort | uniq\n}\n\ndeclare -A PKGS=()\nsupertree() {\n local pkg=$1\n local namepfx=${2:-}\n local pfx=${3:-}\n if (( ${PKGS[$pkg]:-0} )); then\n echo \"$namepfx$pkg (*)\"\n else\n PKGS[$pkg]=1\n echo \"$namepfx$pkg\"\n local parent=''\n for p in $(depends_on \"$pkg\") ; do\n if [ -n \"$parent\" ]; then supertree \"$parent\" \"$pfx├── \" \"$pfx│ \" ; fi\n parent=$p\n done\n if [ -n \"$parent\" ]; then supertree \"$parent\" \"$pfx└── \" \"$pfx \" ; fi\n fi\n}\n\nif [[ \"$MODULE\" == *@* ]]; then\n # The dependency specifies an exact version, so print the packages that\n # depend on it.\n supertree \"$MODULE\"\nelse\n # The dependency does not specify an exact version, find all versions of\n # the package and print the packages that depend on each of them.\n first=1\n for pkg in $(echo \"$GRAPH\" | awk '{ print $1 }' | sort | uniq) ; do\n if [ \"${pkg%@*}\" = \"$MODULE\" ]; then\n if (( first )); then first=0; else echo; fi\n supertree \"$pkg\"\n fi\n done\nfi\n" }, { "path": "bin/go-run", "content": "#!/usr/bin/env sh\n\nset -eu\ncd \"$(pwd -P)\"\n\nbindir=$( cd \"${0%/*}\" && pwd )\n\nif [ $# -eq 0 ]; then\n echo \"Usage: bin/${0##*/} path/to/main [args]\" >&2\n exit 1\nfi\n\nversion=$(\"$bindir\"/root-tag)\nldflags=\"-X github.com/linkerd/linkerd2/pkg/version.Version=$version\"\nmkdir -p target\nGO111MODULE=on go build -v -mod=readonly -race -o ./target/go-run -ldflags \"$ldflags\" \"./$1\"\nshift\nexec ./target/go-run \"$@\"\n" }, { "path": "bin/goimports", "content": "#!/usr/bin/env sh\n\nset -eu\n\ncd \"$(pwd -P)\"\n\nbindir=$( cd \"${0%/*}\" && pwd )\nrootdir=$( cd \"$bindir/..\" && pwd )\ntargetbin=$rootdir/target/bin\nversion=$( grep golang.org/x/tools go.mod | awk '{ print $2}' )\ngoimportsbin=$targetbin/goimports-$version\n\n# install goimports if it does not exist\nif [ ! -f \"$goimportsbin\" ]; then\n GOBIN=$targetbin go install -mod=readonly golang.org/x/tools/cmd/goimports\n mv \"$targetbin/goimports\" \"$goimportsbin\"\nfi\n\nexec \"$goimportsbin\" \"$@\"\n" }, { "path": "bin/helm", "content": "#!/usr/bin/env sh\n\nset -eu\n\nif command -v helm >/dev/null ; then\n exec helm \"$@\"\nfi\n\nhelmversion=v3.18.4\nbindir=$( cd \"${0%/*}\" && pwd )\ntargetbin=$( cd \"$bindir\"/.. && pwd )/target/bin\nhelmbin=$targetbin/helm-$helmversion\n\nif [ ! -f \"$helmbin\" ]; then\n if [ \"$(uname -s)\" = Darwin ]; then\n os=darwin\n arch=amd64\n else\n os=linux\n case $(uname -m) in\n x86_64) arch=amd64 ;;\n arm) dpkg --print-architecture | grep -q arm64 && arch=arm64 ;;\n esac\n fi\n helmcurl=https://get.helm.sh/helm-$helmversion-$os-$arch.tar.gz\n targetdir=$os-$arch\n tmp=$(mktemp -d -t helm.XXX)\n mkdir -p \"$targetbin\"\n (\n cd \"$tmp\"\n \"$bindir\"/scurl -o \"./helm.tar.gz\" \"$helmcurl\"\n tar zf \"./helm.tar.gz\" -x \"$targetdir\"\n chmod +x \"$targetdir/helm\"\n )\n mv \"$tmp/$targetdir/helm\" \"$helmbin\"\n rm -rf \"$tmp\"\nfi\n\n\"$helmbin\" \"$@\"\n" }, { "path": "bin/helm-build", "content": "#!/usr/bin/env bash\n\nset -e\n\nsetValues() {\n sed -i \"s/$1/$2/\" charts/linkerd-control-plane/values.yaml\n sed -i \"s/$1/$2/\" charts/linkerd2-cni/values.yaml\n sed -i \"s/$1/$2/\" multicluster/charts/linkerd-multicluster/values.yaml\n sed -i \"s/$1/$2/\" viz/charts/linkerd-viz/values.yaml\n}\n\nshowErr() {\n printf \"Error on exit:\\n Exit code: %d\\n Failed command: \\\"%s\\\"\\n\" $? \"$BASH_COMMAND\"\n setValues \"$fullVersion\" 'linkerdVersionValue'\n}\n\n# trap the last failed command\ntrap 'showErr' ERR\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\n# cleanup dependencies\nrm -f charts/linkerd-crds/charts/*\nrm -f charts/linkerd-control-plane/charts/*\nrm -f charts/linkerd2-cni/charts/*\nrm -f charts/patch/charts/*\nrm -f viz/charts/linkerd-viz/charts/*\n\n\"$bindir\"/helm dep up \"$rootdir\"/multicluster/charts/linkerd-multicluster\n\"$bindir\"/helm lint \"$rootdir\"/multicluster/charts/linkerd-multicluster\n\"$bindir\"/helm dep up \"$rootdir\"/multicluster/charts/linkerd-multicluster-link\n\"$bindir\"/helm lint \"$rootdir\"/multicluster/charts/linkerd-multicluster-link\n\"$bindir\"/helm lint \"$rootdir\"/charts/partials\n\"$bindir\"/helm dep up \"$rootdir\"/charts/linkerd2-cni\n\"$bindir\"/helm lint \"$rootdir\"/charts/linkerd2-cni\n\"$bindir\"/helm dep up \"$rootdir\"/charts/linkerd-crds\n\"$bindir\"/helm dep up \"$rootdir\"/charts/linkerd-control-plane\n\"$bindir\"/helm dep up \"$rootdir\"/charts/patch\n\"$bindir\"/helm lint \"$rootdir\"/charts/linkerd-crds\n\"$bindir\"/helm lint --set identityTrustAnchorsPEM=\"fake-trust\" --set identity.issuer.tls.crtPEM=\"fake-cert\" --set identity.issuer.tls.keyPEM=\"fake-key\" \"$rootdir\"/charts/linkerd-control-plane\n\"$bindir\"/helm lint \"$rootdir\"/charts/linkerd2-cni\n\"$bindir\"/helm dep up \"$rootdir\"/viz/charts/linkerd-viz\n\"$bindir\"/helm lint \"$rootdir\"/viz/charts/linkerd-viz\n\n# `bin/helm-build package` assumes the presence of \"$rootdir\"/target/helm/index-pre.yaml which is downloaded in the chart_deploy CI job\nif [ \"$1\" = package ]; then\n # shellcheck source=_tag.sh\n . \"$bindir\"/_tag.sh\n tag=$(named_tag)\n\n regex='edge-([0-9]+\\.[0-9]+\\.[0-9]+(-.*)?)'\n if [[ ! \"$tag\" =~ $regex ]]; then\n echo 'Version tag is malformed'\n exit 1\n fi\n fullVersion=${BASH_REMATCH[0]}\n version=${BASH_REMATCH[1]}\n\n # set version in Values files\n setValues 'linkerdVersionValue' \"$fullVersion\"\n\n \"$bindir\"/helm -d \"$rootdir\"/target/helm package \"$rootdir\"/charts/linkerd-crds\n \"$bindir\"/helm --app-version \"$tag\" -d \"$rootdir\"/target/helm package \"$rootdir\"/charts/linkerd-control-plane\n \"$bindir\"/helm --app-version \"$tag\" -d \"$rootdir\"/target/helm package \"$rootdir\"/charts/linkerd2-cni\n \"$bindir\"/helm --app-version \"$tag\" -d \"$rootdir\"/target/helm package \"$rootdir\"/multicluster/charts/linkerd-multicluster\n \"$bindir\"/helm --app-version \"$tag\" -d \"$rootdir\"/target/helm package \"$rootdir\"/viz/charts/linkerd-viz\n\n mv \"$rootdir\"/target/helm/index-pre.yaml \"$rootdir\"/target/helm/index-pre-\"$version\".yaml\n \"$bindir\"/helm repo index --url \"https://helm.linkerd.io/edge/\" --merge \"$rootdir\"/target/helm/index-pre-\"$version\".yaml \"$rootdir\"/target/helm\n\n # restore version in Values files\n setValues \"$fullVersion\" 'linkerdVersionValue'\nfi\n" }, { "path": "bin/image-load", "content": "#!/usr/bin/env bash\n\nset -eo pipefail\n\nkind=''\nk3d=''\ncluster=''\narchive=''\npreload=''\nimages=()\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\n# shellcheck source=_docker.sh\n. \"$bindir\"/_docker.sh\n\nusage() {\n printf \"Load into KinD/k3d the referred Linkerd images. If no images are specified all of them are loaded (%s)\\n\" \"${DOCKER_IMAGES[*]}\"\n echo \"\nUsage:\n bin/image-load [--kind] [--k3d] [--cluster name] [--preload] [--archive] [image] [image]...\n\nExamples:\n\n # Load all the images from the local docker instance into KinD\n bin/image-load\n\n # Load only the proxy and controller images into k3d\n bin/image-load --k3d proxy controller\n\n # Load all the images from tar files located under the 'image-archives' directory into k3d\n bin/image-load --k3d --archive\n\nAvailable Commands:\n --cluster: target cluster name (defaults to 'k3s-default' under k3d, and 'kind' under KinD).\n --kind: use a KinD cluster (default).\n --k3d: use a k3d cluster.\n --preload: pull the docker images from a public registry prior to loading them into the cluster, which appears to be faster than having k3d pulling them itself.\n --archive: load the images from local .tar files in the current directory.\"\n}\n\nwhile :\ndo\n case ${1:-} in\n -h|--help)\n usage\n exit 0\n ;;\n --cluster)\n cluster=$2\n shift\n ;;\n --kind)\n kind=1\n ;;\n --k3d)\n k3d=1\n ;;\n --preload)\n preload=1\n ;;\n --archive)\n archive=1\n ;;\n *)\n if [ -z \"${1:-}\" ]; then\n break\n fi\n if echo \"$1\" | grep -q '^-.*' ; then\n echo \"Unexpected flag: $1\" >&2\n usage\n exit 1\n fi\n images+=(\"$1\")\n esac\n shift\ndone\n\nif [ ${#images[@]} -eq 0 ]; then\n images=(\"${DOCKER_IMAGES[@]}\")\nfi\n\nbindir=$( cd \"${0%/*}\" && pwd )\n\nif [ \"$k3d\" ]; then\n if [ \"$kind\" ]; then\n echo \"$k3d\"\n echo \"Error: --kind and --k3d can't be used simultaneously\" >&2\n usage\n exit 1\n fi\n if [ -z \"$cluster\" ]; then\n cluster=k3s-default\n fi\n bin=$bindir/k3d\n image_sub_cmd=(image import -c \"$cluster\")\nelse\n kind=1\n bin=$bindir/kind\n if [ -z \"$cluster\" ]; then\n cluster=kind\n fi\n if [ $archive ]; then\n image_sub_cmd=(load image-archive --name \"$cluster\")\n else\n image_sub_cmd=(load docker-image --name \"$cluster\")\n fi\nfi\n\nif [ -z \"$archive\" ]; then\n # shellcheck source=_tag.sh\n . \"$bindir\"/_tag.sh\n # shellcheck source=_docker.sh\n . \"$bindir\"/_docker.sh\n TAG=${TAG:-$(head_root_tag)}\nfi\n\n# This is really to load the binary synchronously, before\n# the parallel executions below attempt doing so\n\"$bin\" version\n\nrm -f load_fail\nfor i in \"${!images[@]}\"; do\n if [ $archive ]; then\n param=image-archives/${images[$i]}.tar\n else\n param=$DOCKER_REGISTRY/${images[$i]}:$TAG\n if [ $preload ]; then\n docker pull -q \"$param\" || (echo \"Error pulling image $param\"; touch load_fail) &\n fi\n fi\n\n if [ \"$kind\" ]; then\n printf 'Importing %s...\\n' \"${images[$i]}\"\n \"$bin\" \"${image_sub_cmd[@]}\" \"${param[@]}\" || touch load_fail &\n else\n # \"k3d image import\" commands don't behave well when parallelized\n # but all the images can be loaded in a single invocation\n images[$i]=$param\n fi\ndone\n\nwait < <(jobs -p)\nif [ -f load_fail ]; then\n echo 'Loading docker images into the cluster failed.'\n rm load_fail\n exit 1\nfi\n\nif [ \"$k3d\" ]; then\n printf 'Importing %s...\\n' \"${images[@]}\"\n \"$bin\" \"${image_sub_cmd[@]}\" \"${images[@]}\" -m tools-node\nfi\n" }, { "path": "bin/install-deps", "content": "#!/usr/bin/env sh\n\n# This script is used in the multiple Dockerfiles for caching\n# some of the slow-to-build go dependencies.\n\nset -eu\n\nbindir=$( cd \"${0%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\narch=${1:-amd64}\ncd \"$rootdir\"\n\nCGO_ENABLED=0 GOOS=linux GOARCH=$arch go install -mod=readonly \\\n github.com/golang/protobuf/jsonpb \\\n github.com/grpc-ecosystem/go-grpc-prometheus \\\n github.com/prometheus/client_golang/api \\\n github.com/prometheus/client_golang/api/prometheus/v1 \\\n github.com/prometheus/client_golang/prometheus \\\n github.com/prometheus/client_golang/prometheus/promhttp \\\n github.com/prometheus/client_model/go \\\n github.com/prometheus/common/expfmt \\\n github.com/prometheus/common/model \\\n github.com/sirupsen/logrus \\\n google.golang.org/grpc \\\n k8s.io/client-go/discovery \\\n k8s.io/client-go/kubernetes \\\n k8s.io/client-go/kubernetes/scheme \\\n k8s.io/client-go/kubernetes/typed/admissionregistration/v1 \\\n k8s.io/client-go/kubernetes/typed/apps/v1 \\\n k8s.io/client-go/kubernetes/typed/apps/v1beta1 \\\n k8s.io/client-go/kubernetes/typed/apps/v1beta2 \\\n k8s.io/client-go/kubernetes/typed/authentication/v1 \\\n k8s.io/client-go/kubernetes/typed/authentication/v1beta1 \\\n k8s.io/client-go/kubernetes/typed/authorization/v1 \\\n k8s.io/client-go/kubernetes/typed/authorization/v1beta1 \\\n k8s.io/client-go/kubernetes/typed/autoscaling/v1 \\\n k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1 \\\n k8s.io/client-go/kubernetes/typed/batch/v1 \\\n k8s.io/client-go/kubernetes/typed/certificates/v1beta1 \\\n k8s.io/client-go/kubernetes/typed/core/v1 \\\n k8s.io/client-go/kubernetes/typed/events/v1beta1 \\\n k8s.io/client-go/kubernetes/typed/extensions/v1beta1 \\\n k8s.io/client-go/kubernetes/typed/networking/v1 \\\n k8s.io/client-go/kubernetes/typed/policy/v1beta1 \\\n k8s.io/client-go/kubernetes/typed/rbac/v1 \\\n k8s.io/client-go/kubernetes/typed/rbac/v1alpha1 \\\n k8s.io/client-go/kubernetes/typed/rbac/v1beta1 \\\n k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1 \\\n k8s.io/client-go/kubernetes/typed/storage/v1 \\\n k8s.io/client-go/kubernetes/typed/storage/v1alpha1 \\\n k8s.io/client-go/kubernetes/typed/storage/v1beta1 \\\n k8s.io/client-go/pkg/version \\\n k8s.io/client-go/plugin/pkg/client/auth \\\n k8s.io/client-go/plugin/pkg/client/auth/azure \\\n k8s.io/client-go/plugin/pkg/client/auth/gcp \\\n k8s.io/client-go/plugin/pkg/client/auth/oidc \\\n k8s.io/client-go/rest \\\n k8s.io/client-go/rest/watch \\\n k8s.io/client-go/tools/auth \\\n k8s.io/client-go/tools/cache \\\n k8s.io/client-go/tools/clientcmd \\\n k8s.io/client-go/tools/pager \\\n k8s.io/client-go/transport \\\n k8s.io/client-go/util/cert \\\n k8s.io/client-go/util/flowcontrol \\\n k8s.io/client-go/util/homedir \\\n k8s.io/client-go/util/jsonpath\n" }, { "path": "bin/k3d", "content": "#!/usr/bin/env sh\n\nset -eu\n\nK3D_VERSION=v5.8.3\n\nbindir=$( cd \"${0%/*}\" && pwd )\n\n# shellcheck source=_os.sh\n. \"$bindir\"/_os.sh\n\ntargetbin=$( cd \"$bindir\"/.. && pwd )/target/bin\nk3dbin=$targetbin/k3d-${K3D_VERSION}\n\nif [ ! -f \"$k3dbin\" ]; then\n arch=$(architecture)\n\n if [ \"$(uname -s)\" = Darwin ]; then\n os=darwin\n elif [ \"$(uname -o)\" = Msys ]; then\n os=windows\n else\n os=linux\n fi\n\n mkdir -p \"$targetbin\"\n \"$bindir\"/scurl -o \"$k3dbin\" \"https://github.com/k3d-io/k3d/releases/download/${K3D_VERSION}/k3d-$os-$arch\"\n chmod +x \"$k3dbin\"\nfi\n\n\"$k3dbin\" \"$@\"\n\n" }, { "path": "bin/kind", "content": "#!/usr/bin/env sh\n\nset -eu\n\nkindversion=v0.11.1\n\nbindir=$( cd \"${0%/*}\" && pwd )\ntargetbin=$( cd \"$bindir\"/.. && pwd )/target/bin\nkindbin=$targetbin/.kind-$kindversion\n\nif [ ! -f \"$kindbin\" ]; then\n if [ \"$(uname -s)\" = Darwin ]; then\n os=darwin\n arch=amd64\n elif [ \"$(uname -o)\" = Msys ]; then\n os=windows\n arch=amd64\n else\n os=linux\n case $(uname -m) in\n x86_64) arch=amd64 ;;\n arm) arch=arm64 ;;\n esac\n fi\n\n mkdir -p \"$targetbin\"\n \"$bindir\"/scurl -o \"$kindbin\" https://github.com/kubernetes-sigs/kind/releases/download/$kindversion/kind-$os-$arch\n chmod +x \"$kindbin\"\nfi\n\n\"$kindbin\" \"$@\"\n" }, { "path": "bin/kubectl", "content": "#!/usr/bin/env sh\n\nset -eu\n\nkubectlversion=v1.15.3\n\nbindir=$( cd \"${0%/*}\" && pwd )\ntargetbin=$( cd \"$bindir\"/.. && pwd )/target/bin\nkubectlbin=$targetbin/.kubectl-$kubectlversion\n\nif [ ! -f \"$kubectlbin\" ]; then\n exe=\n if [ \"$(uname -s)\" = Darwin ]; then\n os=darwin\n arch=amd64\n elif [ \"$(uname -o)\" = Msys ]; then\n os=windows\n arch=amd64\n exe=.exe\n else\n os=linux\n case $(uname -m) in\n x86_64) arch=amd64 ;;\n arm) dpkg --print-architecture | grep -q arm64 && arch=arm64 ;;\n esac\n fi\n\n mkdir -p \"$targetbin\"\n \"$bindir\"/scurl -o \"$kubectlbin\" https://storage.googleapis.com/kubernetes-release/release/$kubectlversion/bin/$os/$arch/kubectl${exe}\n chmod +x \"$kubectlbin\"\nfi\n\n\"$kubectlbin\" \"$@\"\n" }, { "path": "bin/linkerd", "content": "#!/usr/bin/env sh\n\nset -eu\n\nbindir=$( cd \"${0%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n# shellcheck source=_os.sh\n. \"$bindir\"/_os.sh\n\nbin=$rootdir/target/cli/$(os)/linkerd\n\n# Always rebuild the linkerd CLI binary before running it. This should be\n# relatively fast (<2s) if nothing has changed.\n\"$bindir\"/build-cli-bin >/dev/null\n\nexec \"$bin\" \"$@\"\n" }, { "path": "bin/minikube-start-hyperv.bat", "content": "REM Starts minikube on Windows 10 using Hyper-V.\nREM\nREM Windows 10 version 1709 (Creator's Update) or later is required for the\nREM \"Default Switch (NAT with automatic DHCP).\nREM\nREM Hyper-V must be enabled in \"Turn Windows features on or off.\"\n\nminikube start --kubernetes-version=\"v1.8.0\" --vm-driver=\"hyperv\" --disk-size=30G --memory=8192 --cpus=4 --hyperv-virtual-switch=\"Default Switch\" --v=7 --alsologtostderr\n" }, { "path": "bin/protoc-go.sh", "content": "#!/usr/bin/env sh\n\nset -eu\n\nrm -rf controller/gen/common controller/gen/config viz/metrics-api/gen viz/tap/gen\nmkdir -p controller/gen/common/net viz/metrics-api/gen/viz viz/tap/gen/tap\n\nprotoc -I proto --go_out=paths=source_relative:controller/gen proto/common/net.proto\nprotoc -I proto -I viz/metrics-api/proto --go_out=paths=source_relative:viz/metrics-api/gen viz/metrics-api/proto/viz.proto\nprotoc -I proto -I viz/metrics-api/proto --go-grpc_out=paths=source_relative:viz/metrics-api/gen/viz viz/metrics-api/proto/viz.proto\nprotoc -I proto -I viz/tap/proto -I viz/metrics-api/proto --go_out=paths=source_relative:viz/tap/gen viz/tap/proto/viz_tap.proto\nprotoc -I proto -I viz/tap/proto -I viz/metrics-api/proto --go-grpc_out=paths=source_relative:viz/tap/gen/tap viz/tap/proto/viz_tap.proto\n\nmv controller/gen/common/net.pb.go controller/gen/common/net/\nmv viz/metrics-api/gen/viz.pb.go viz/metrics-api/gen/viz/viz.pb.go\nmv viz/tap/gen/viz_tap.pb.go viz/tap/gen/tap/viz_tap.pb.go\n" }, { "path": "bin/root-tag", "content": "#!/usr/bin/env bash\n\nbindir=$( cd \"${0%/*}\" && pwd )\n\n# shellcheck source=_tag.sh\n. \"$bindir\"/_tag.sh\n\nhead_root_tag\n" }, { "path": "bin/rust-toolchain-version", "content": "#! /usr/bin/env bash\n# Extracts the current Rust version from the toolchain file.\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\nversion_regex='channel = \"(.+)\"'\ntoolchain=$(cat \"$rootdir\"/rust-toolchain.toml)\n\n# If the `rust-toolchain.toml` file contains a line matching the channel regex,\n# extract the channel and echo it.\nif [[ $toolchain =~ $version_regex ]]; then\n echo \"${BASH_REMATCH[1]}\"\n exit 0;\nfi\n\n# Otherwise, no matching line was found, so print an error.\nif [ \"${GITHUB_ACTIONS:-false}\" = 'true' ]; then\n echo '::error file=rust-toolchain.toml::failed to parse rust-toolchain.toml'\nelse\n echo 'failed to parse rust-toolchain.toml'\nfi\n\nexit 1\n" }, { "path": "bin/scurl", "content": "#!/usr/bin/env sh\n\nexec curl --proto '=https' --tlsv1.2 -sSfL \"$@\"\n" }, { "path": "bin/shellcheck", "content": "#!/usr/bin/env sh\n\nset -eu\n\nif command -v shellcheck >/dev/null ; then\n exec shellcheck \"$@\"\nfi\n\nscversion=v0.8.0\n\nbindir=$( cd \"${0%/*}\" && pwd )\ntargetbin=$( cd \"$bindir\"/.. && pwd )/target/bin\nscbin=$targetbin/.shellcheck-$scversion\nif [ ! -f \"$scbin\" ]; then\n if [ \"$(uname -s)\" = Darwin ]; then\n file=darwin.x86_64.tar.xz\n elif [ \"$(uname -o)\" = Msys ]; then\n # TODO: work on windows\n file=zip\n else\n case $(uname -m) in\n x86_64) file=linux.x86_64.tar.xz ;;\n arm) file=linux.aarch64.tar.xz ;;\n esac\n fi\n\n mkdir -p \"$targetbin\"\n \"$bindir\"/scurl \"https://github.com/koalaman/shellcheck/releases/download/$scversion/shellcheck-${scversion?}.$file\" | tar -OxJv \"shellcheck-${scversion}/shellcheck\" > \"$scbin\"\n chmod +x \"$scbin\"\nfi\n\n\"$scbin\" \"$@\"\n" }, { "path": "bin/shellcheck-all", "content": "#!/usr/bin/env bash\n\nset -eu\n\nbindir=$( cd \"${0%/*}\" && pwd )\nrootdir=$( cd \"$bindir\"/.. && pwd )\n\nscripts() {\n find \"$rootdir\" -name '*.sh' \\\n -not -path \"$rootdir/.git/*\" \\\n -not -path \"$rootdir/target/*\" \\\n -not -path \"$rootdir/web/app/node_modules/*\"\n}\n\n# Make sure all files with the .sh extension are shellscripts and have a\n# proper shebang\nshebangpattern='#!/usr/bin/env (bash|sh)'\nwhile IFS= read -r file ; do\n head -1 \"$file\" | grep -qE \"$shebangpattern\\$\" || {\n echo \"ERROR: No valid '$shebangpattern' shebang found in '$file'\" >&2\n exit 1\n }\ndone < <(scripts)\n\n# For more information on shellcheck failures:\n# https://github.com/koalaman/shellcheck/wiki/Checks\n\n# We want the word splitting for the shellcheck arguments\n# shellcheck disable=SC2046\n\"$bindir\"/shellcheck -x -P \"$bindir\" $(scripts |xargs)\n" }, { "path": "bin/test-cleanup", "content": "#!/usr/bin/env bash\n\nset -eu -o pipefail\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\n\n# shellcheck source=_test-helpers.sh\n. \"$bindir\"/_test-helpers.sh\nhandle_cleanup_input \"$@\"\n\ncheck_linkerd_binary\n\necho \"cleaning up viz extension resources, if present [${k8s_context}]\"\n\"$linkerd_path\" viz uninstall 2> /dev/null | kubectl --context=\"$k8s_context\" delete -f -\n\necho \"cleaning up multicluster resources, if present [${k8s_context}]\"\n\"$linkerd_path\" mc uninstall 2> /dev/null | kubectl --context=\"$k8s_context\" delete -f -\n\necho 'cleaning up the all namespaces labelled with test.linkerd.io/is-test-data-plane'\nkubectl --context=\"$k8s_context\" delete ns -l test.linkerd.io/is-test-data-plane\n\necho 'cleaning up cluster-scoped resources labelled with test.linkerd.io/is-test-data-plane'\nkubectl --context=\"$k8s_context\" delete clusterRole,clusterRoleBindings,mutatingwebhookconfiguration -l test.linkerd.io/is-test-data-plane\n\necho \"cleaning up linkerd resources [${k8s_context}]\"\n\"$linkerd_path\" uninstall | kubectl --context=\"$k8s_context\" delete -f -\n\n# Helm cleanup. Just the entries in `helm ls` as the resources should have already been cleaned up by the code above.\nreleases=$(\"$bindir/helm\" ls -A -q)\nif [[ \"${releases[*]}\" =~ 'l5d-viz' ]]; then\n \"$bindir/helm\" --kube-context=\"$k8s_context\" --namespace linkerd-viz delete l5d-viz\n kubectl delete ns linkerd-viz\nfi\nif [[ \"${releases[*]}\" =~ 'helm-test' ]]; then\n \"$bindir/helm\" --kube-context=\"$k8s_context\" --namespace linkerd delete helm-test-crds\n \"$bindir/helm\" --kube-context=\"$k8s_context\" --namespace linkerd delete helm-test-control-plane\n kubectl delete ns linkerd\nfi\nif [[ \"${releases[*]}\" =~ 'multicluster-test' ]]; then\n \"$bindir/helm\" --kube-context=\"$k8s_context\" --namespace linkerd-multicluster delete multicluster-test\n kubectl delete ns linkerd-multicluster\nfi\n\n" }, { "path": "bin/test-clouds", "content": "#!/usr/bin/env bash\n\n#\n# Run integration tests on 4 cloud providers:\n# - Amazon (EKS)\n# - DigitalOcean (DO)\n# - Google (GKE)\n# - Microsoft (AKS)\n#\n# This script assumes you have a working Kubernetes cluster set up on each Cloud\n# provider, and that Kubernetes contexts are configured via the environment\n# variables $AKS $DO $EKS $GKE.\n#\n# For example:\n# export AKS=my-aks-cluster\n# export DO=do-nyc1-my-cluster\n# export EKS=arn:aws:eks:us-east-1:123456789012:cluster/my-cluster\n# export GKE=gke_my-project_us-east1-b_my-cluster\n#\n# For more information on configuring access to multiple clusters, see:\n# https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#define-clusters-users-and-contexts\n\nset -e\n\n# TODO: share this with test-run\ncheck_linkerd_binary() {\n printf 'Checking the linkerd binary...'\n case \"$linkerd_path\" in\n /*)\n ;;\n *)\n printf '\\n[%s] is not an absolute path\\n' \"$linkerd_path\"\n exit 1\n ;;\n esac\n if [ ! -x \"$linkerd_path\" ]; then\n printf '\\n[%s] does not exist or is not executable\\n' \"$linkerd_path\"\n exit 1\n fi\n exit_code=0\n \"$linkerd_path\" version --client > /dev/null 2>&1 || exit_code=$?\n if [ $exit_code -ne 0 ]; then\n printf '\\nFailed to run linkerd version command\\n'\n exit $exit_code\n fi\n echo '[ok]'\n}\n\nif [ \"$#\" -ne 1 ]; then\n echo \"usage: ${0##*/} /path/to/linkerd\" >&2\n exit 64\nfi\n\nfor CLUSTER in 'AKS' 'DO' 'EKS' 'GKE'; do\n if [ -z \"${!CLUSTER}\" ]; then\n echo \"\\$$CLUSTER not set\" >&2\n exit 64\n fi\ndone\n\nlinkerd_path=$1\ncheck_linkerd_binary\n\nprintf '\\nKicking off tests for:\\n- %s\\n- %s\\n- %s\\n- %s\\n\\n' \"$AKS\" \"$DO\" \"$EKS\" \"$GKE\"\n\ntrap 'trap - SIGTERM && kill -- -$$' SIGINT SIGTERM EXIT\nfor CLUSTER in $AKS $DO $EKS $GKE; do\n bin/test-run \"$linkerd_path\" l5d-integration-cloud \"$CLUSTER\" | while IFS= read -r line; do printf '[%s] %s\\n' \"$CLUSTER\" \"$line\"; done &\ndone\n\nwait\n\n# TODO propagate error code\n" }, { "path": "bin/test-clouds-cleanup", "content": "#!/usr/bin/env bash\n\n#\n# Cleans up integration tests from 4 cloud providers:\n# - Amazon (EKS)\n# - DigitalOcean (DO)\n# - Google (GKE)\n# - Microsoft (AKS)\n#\n# This script assumes you have a working Kubernetes cluster set up on each Cloud\n# provider, and that Kubernetes contexts are configured via environment\n# variables.\n\nset -e\n\nif [ $# -ne 1 ]; then\n echo \"Error: accepts 1 argument\nUsage:\n ${0##*/} /path/to/linkerd\"\n exit 1\nfi\n\nfor CLUSTER in 'AKS' 'DO' 'EKS' 'GKE'; do\n if [ -z \"${!CLUSTER}\" ]; then\n echo \"\\$$CLUSTER not set\" >&2\n exit 64\n fi\ndone\n\nfor CLUSTER in $AKS $DO $EKS $GKE\ndo\n printf '\\n%s\\n' \"$CLUSTER\"\n bin/test-cleanup --context \"$CLUSTER\" \"$1\"\ndone\n" }, { "path": "bin/test-scale", "content": "#!/usr/bin/env bash\n\n# This test script deploys the following:\n# - 1 Linkerd control-plane\n# - 5 NAMESPACES x 5 REPLICAS of each:\n# - Emojivoto demo app\n# - Books demo app\n# - Lifecycle / bb test environment\n#\n# Usage:\n# test-scale /path/to/linkerd [namespace]\n\nset -e\n\nNAMESPACES=5\nREPLICAS=5\n\nbindir=$( cd \"${0%/*}\" && pwd )\n\n# TODO: share these functions with test-run\n\ncheck_linkerd_binary(){\n printf 'Checking the linkerd binary...'\n case \"$linkerd_path\" in\n /*)\n ;;\n *)\n printf '\\n[%s] is not an absolute path\\n' \"$linkerd_path\"\n exit 1\n ;;\n esac\n if [ ! -x \"$linkerd_path\" ]; then\n printf '\\n[%s] does not exist or is not executable\\n' \"$linkerd_path\"\n exit 1\n fi\n exit_code=0\n \"$linkerd_path\" version --client > /dev/null 2>&1 || exit_code=$?\n if [ $exit_code -ne 0 ]; then\n printf '\\nFailed to run linkerd version command\\n'\n exit $exit_code\n fi\n echo '[ok]'\n}\n\ncheck_if_k8s_reachable(){\n printf 'Checking if there is a Kubernetes cluster available...'\n exit_code=0\n kubectl --request-timeout=5s get ns > /dev/null 2>&1 || exit_code=$?\n if [ $exit_code -ne 0 ]; then\n echo '\nFailed to connect to Kubernetes cluster'\n exit $exit_code\n fi\n printf '[ok]\\n'\n}\n\nlinkerd_path=$1\n\nif [ -z \"$linkerd_path\" ]; then\n echo \"usage: ${0##*/} /path/to/linkerd [namespace]\" >&2\n exit 64\nfi\n\ncheck_linkerd_binary\ncheck_if_k8s_reachable\n\nlinkerd_version=$(\"$linkerd_path\" version --client --short)\nlinkerd_namespace=${2:-l5d-scale}\n\n#\n# Deploy Linkerd\n#\n\n\"$linkerd_path\" -l \"$linkerd_namespace\" install | kubectl apply -f -\n\"$linkerd_path\" -l \"$linkerd_namespace\" check --expected-version=\"$linkerd_version\"\n\n#\n# Deploy Books\n#\n\nBOOKS_BACKEND=$(\"$bindir\"/scurl https://raw.githubusercontent.com/BuoyantIO/booksapp/main/k8s/mysql-backend.yml)\n\nAUTHORS_SP=$(\"$bindir\"/scurl https://run.linkerd.io/booksapp/authors.swagger)\nBOOKS_SP=$(\"$bindir\"/scurl https://run.linkerd.io/booksapp/books.swagger)\nWEBAPP_SP=$(\"$bindir\"/scurl https://run.linkerd.io/booksapp/webapp.swagger)\n\n# deploy books backend and service profiles to N namespaces\nfor ((i=1; i <= NAMESPACES; i++)); do\n booksns=$linkerd_namespace-books-$i\n kubectl create ns \"$booksns\"\n echo \"$BOOKS_BACKEND\" | kubectl apply -n \"$booksns\" -f -\n\n echo \"$AUTHORS_SP\" | bin/linkerd profile -n \"$booksns\" authors --open-api - | kubectl apply -f -\n echo \"$BOOKS_SP\" | bin/linkerd profile -n \"$booksns\" books --open-api - | kubectl apply -f -\n echo \"$WEBAPP_SP\" | bin/linkerd profile -n \"$booksns\" webapp --open-api - | kubectl apply -f -\ndone\n\nBOOKS_APP=$(\"$bindir\"/scurl https://raw.githubusercontent.com/BuoyantIO/booksapp/main/k8s/mysql-app.yml)\n\n# add \"-sleep=10ms\" param to the traffic app (~100rps)\ntraffic_param=' - \"webapp:7000\"'\nsleep_param=$(cat <<-END\n - \"-sleep=10ms\"\n - \"webapp:7000\"\nEND\n)\nBOOKS_APP=${BOOKS_APP/$traffic_param/$sleep_param}\n\n# inject\nBOOKS_APP=$(echo \"$BOOKS_APP\" | \"$linkerd_path\" -l \"$linkerd_namespace\" inject -)\n\n# deploy books apps to N namespaces\nfor ((i=1; i <= NAMESPACES; i++)); do\n booksns=$linkerd_namespace-books-$i\n echo \"waiting for $booksns mysql-init to complete...\"\n kubectl -n \"$booksns\" wait --for=condition=complete --timeout=5m job/mysql-init\n\n echo \"$BOOKS_APP\" | kubectl apply -n \"$booksns\" -f -\n kubectl -n \"$booksns\" scale --replicas=$REPLICAS deploy/authors deploy/books deploy/webapp\ndone\n\n#\n# Deploy Emojivoto\n#\n\nEMOJIVOTO=$(\"$bindir\"/scurl https://run.linkerd.io/emojivoto.yml)\n\n# delete namespace\nEMOJIVOTO=$(echo \"$EMOJIVOTO\" | tail -n +6)\nemojins='namespace: emojivoto'\nEMOJIVOTO=${EMOJIVOTO//$emojins/}\nemojins=.emojivoto:\nnewns=:\nEMOJIVOTO=${EMOJIVOTO//$emojins/$newns}\n\n# inject\nEMOJIVOTO=$(echo \"$EMOJIVOTO\" | \"$linkerd_path\" -l \"$linkerd_namespace\" inject -)\n\nfor ((i=1; i <= NAMESPACES; i++)); do\n emojins=$linkerd_namespace-emoji-$i\n\n kubectl create ns \"$emojins\"\n echo \"$EMOJIVOTO\" | kubectl apply -n \"$emojins\" -f -\n\n kubectl -n \"$emojins\" scale --replicas=$REPLICAS deploy/emoji deploy/voting deploy/web\ndone\n\n#\n# Lifecycle / bb\n#\n\nLIFECYCLE=$(\"$bindir\"/scurl https://raw.githubusercontent.com/linkerd/linkerd-examples/master/lifecycle/lifecycle.yml)\n\n# inject\nLIFECYCLE=$(echo \"$LIFECYCLE\" | $linkerd_path -l \"$linkerd_namespace\" inject -)\n\nfor ((i=1; i <= NAMESPACES; i++)); do\n lifecyclens=$linkerd_namespace-lifecycle-$i\n\n kubectl create ns \"$lifecyclens\"\n echo \"$LIFECYCLE\" | kubectl apply -n \"$lifecyclens\" -f -\n\n kubectl -n \"$lifecyclens\" scale --replicas=$REPLICAS deploy/bb-broadcast deploy/bb-p2p deploy/bb-terminus\ndone\n\n#\n# Watch performance\n#\n\nwatch \"$linkerd_path\" -l \"$linkerd_namespace\" stat ns\n" }, { "path": "bin/tests", "content": "#!/usr/bin/env bash\n\nbindir=$( cd \"${BASH_SOURCE[0]%/*}\" && pwd )\n\n# shellcheck source=_test-helpers.sh\n. \"$bindir\"/_test-helpers.sh\nhandle_tests_input \"$@\"\n\nif [ \"$test_name\" ]; then\n start_test \"$test_name\"\nelse\n echo '==================RUNNING ALL TESTS==================\nNote: cluster-domain, cni-calico-deep and multicluster require a specific cluster configuration and are skipped by default\n'\n\n for test_name in \"${default_test_names[@]}\"; do\n start_test \"$test_name\"\n done\n\n if [ $exit_code -eq 0 ]; then\n echo '\n=== PASS: all tests passed'\n else\n echo '\n=== FAIL: at least one test failed'\n fi\n\n exit $exit_code\nfi\n" }, { "path": "bin/update-codegen.sh", "content": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nSCRIPT_DIR=$(dirname \"${BASH_SOURCE[0]}\")\nSCRIPT_ROOT=$(dirname \"${SCRIPT_DIR}\")\nGEN_VER=$( awk '/k8s.io\\/code-generator/ { print $2 }' \"${SCRIPT_ROOT}/go.mod\" )\nKUBE_OPEN_API_VER=$( awk '/k8s.io\\/kube-openapi/ { print $2 }' \"${SCRIPT_ROOT}/go.mod\" )\nCODEGEN_PKG=$(mktemp -d -t \"code-generator-${GEN_VER}.XXX\")/code-generator\n\ngit clone --depth 1 --branch \"$GEN_VER\" https://github.com/kubernetes/code-generator \"$CODEGEN_PKG\"\n(\n cd \"$CODEGEN_PKG\"\n go get k8s.io/kube-openapi/pkg/common@\"$KUBE_OPEN_API_VER\"\n)\n\n# Remove previously generated code\nrm -rf \"${SCRIPT_ROOT}/controller/gen/client/clientset/*\"\nrm -rf \"${SCRIPT_ROOT}/controller/gen/client/listeners/*\"\nrm -rf \"${SCRIPT_ROOT}/controller/gen/client/informers/*\"\ncrds=(serviceprofile server serverauthorization link policy policy externalworkload)\nfor crd in \"${crds[@]}\"\ndo\n rm -f \"${SCRIPT_ROOT}\"/controller/gen/apis/\"${crd}\"/*/zz_generated.deepcopy.go\ndone\n\n# shellcheck disable=SC1091\nsource \"${CODEGEN_PKG}/kube_codegen.sh\"\n\n# Create a symlink so that the root of the repo is inside github.com/linkerd/linkerd2.\n# This is required because the codegen scripts expect it.\nmkdir -p \"${SCRIPT_ROOT}/github.com/linkerd\"\nln -s \"$(realpath \"${SCRIPT_ROOT}\")\" \"${SCRIPT_ROOT}/github.com/linkerd/linkerd2\"\n\nkube::codegen::gen_helpers \\\n --boilerplate \"${SCRIPT_ROOT}/controller/gen/boilerplate.go.txt\" \\\n github.com/linkerd/linkerd2/controller/gen/apis\n\nif [ -n \"${API_KNOWN_VIOLATIONS_DIR:-}\" ]; then\n report_filename=${API_KNOWN_VIOLATIONS_DIR}/codegen_violation_exceptions.list\n if [ \"${UPDATE_API_KNOWN_VIOLATIONS:-}\" = 'true' ]; then\n update_report='--update-report'\n fi\nfi\n\nkube::codegen::gen_openapi \\\n --output-pkg github.com/linkerd/linkerd2/controller/gen \\\n --output-dir \"${SCRIPT_ROOT}/controller/gen/client\" \\\n --report-filename \"${report_filename:-\"/dev/null\"}\" \\\n ${update_report:+\"${update_report}\"} \\\n --boilerplate \"${SCRIPT_ROOT}/controller/gen/boilerplate.go.txt\" \\\n github.com/linkerd/linkerd2/controller/gen/apis\n\nkube::codegen::gen_client \\\n --with-watch \\\n --output-pkg github.com/linkerd/linkerd2/controller/gen/client \\\n --output-dir \"${SCRIPT_ROOT}/controller/gen/client\" \\\n --boilerplate \"${SCRIPT_ROOT}/controller/gen/boilerplate.go.txt\" \\\n github.com/linkerd/linkerd2/controller/gen/apis\n\n# Once the code has been generated, we can remove the symlink.\nrm -rf \"${SCRIPT_ROOT}/github.com\"\n" }, { "path": "bin/web", "content": "#!/usr/bin/env bash\n\nset -o errexit -o nounset -o pipefail\n\nROOT=$( cd \"${BASH_SOURCE[0]%/*}\"/.. && pwd )\n\nDEV_PORT=8080\nexport NODE_ENV=${NODE_ENV:=development}\n\nfunction -h {\ncat <\n\n * build - build the assets\n * dev - run a dev server (with live reloading). Options:\n -p $DEV_PORT\n * port-forward - setup a tunnel to a controller component and port\n Example: port-forward linkerd controller 8085\n * run - run a local server (sans. reloading)\n * setup - get the environment setup for development\n Note: any command line options are passed on to yarn\n * test - run the unit tests\n Note: any command line options are passed on to the test runner (jest)\nUSAGE\n}; function --help { '-h' ;}\n\ncheck-for-linkerd-and-viz() {\n metrics_api_pod=$(get-pod linkerd-viz metrics-api)\n\n if [ -z \"${metrics_api_pod// }\" ]; then\n err 'Metrics-api is not running. Have you installed Linkerd-Viz?'\n exit 1\n fi\n}\n\ndev() {\n while getopts 'p:' opt; do\n case \"$opt\" in\n p) DEV_PORT=$OPTARG;;\n *) ;;\n esac\n done\n\n cd \"$ROOT\"/web/app && yarn webpack serve --port \"$DEV_PORT\" &\n run ''\n}\n\nbuild() {\n cd \"$ROOT\"/web/app\n yarn lingui compile && yarn webpack\n}\n\nget-pod() {\n if [ $# -ne 2 ]; then\n echo \"usage: bin/${0##*/} get-pod namespace component-name\" >&2\n exit 1\n fi\n\n\n selector=linkerd.io/control-plane-component=$2\n if [ \"$1\" = 'linkerd-viz' ]; then\n selector=\"component=$2\"\n fi\n\n kubectl --namespace=\"$1\" get po \\\n --selector=\"$selector\" \\\n --field-selector='status.phase==Running' \\\n -o jsonpath='{.items[*].metadata.name}'\n}\n\nport-forward() {\n if [ $# -lt 3 ]; then\n echo \"usage: bin/${0##*/} port-forward namespace component-name local port-number [remote port-number]\" >&2\n exit 1\n fi\n\n port_from=''\n port_to=''\n if [ $# -eq 4 ]; then\n port_from=$3\n port_to=$4\n else\n port_from=$3\n port_to=$3\n fi\n\n nc -z localhost \"$3\" || \\\n kubectl --namespace=\"$1\" port-forward \"$(get-pod \"$1\" \"$2\")\" \"$port_from:$port_to\"\n}\n\nrun() {\n # Stop everything in the process group (in the background) whenever the\n # parent process experiences an error and exits.\n trap 'exit' INT TERM\n trap 'kill 0' EXIT\n\n build\n\n check-for-linkerd-and-viz && (\n port-forward linkerd-viz metrics-api 8085 &\n )\n\n cd \"$ROOT\"/web && \\\n ../bin/go-run . --addr=:7777 \"$@\"\n}\n\nsetup() {\n cd \"$ROOT\"/web/app\n yarn \"$@\"\n}\n\nfunction test {\n cd \"$ROOT\"/web/app\n yarn jest \"$@\"\n}\n\nmain() {\n setup ''\n build\n}\n\nmsg() { out \"$*\" >&2 ;}\nerr() { local x=$? ; msg \"$*\" ; return $(( x == 0 ? 1 : x )) ;}\nout() { printf '%s\\n' \"$*\" ;}\n\nif [ ${1:-} ] && declare -F | cut -d' ' -f3 | grep -Fqx -- \"${1:-}\"; then\n \"$@\"\nelse\n main \"$@\"\nfi\n" }, { "path": "charts/artifacthub-repo-edge.yml", "content": "repositoryID: 3f724e34-9d3c-459e-99ba-aa8f09620ff4\nowners:\n - name: olix0r\n email: ver@buoyant.io\n - name: alpeb\n email: alejandro@buoyant.io\n - name: adleong\n email: alex@buoyant.io\n - name: hawkw\n email: eliza@buoyant.io\n - name: kleimkuhler\n email: kevinl@buoyant.io\n - name: pothulapati\n email: tarun@buoyant.io\n" }, { "path": "charts/artifacthub-repo-stable.yml", "content": "repositoryID: d6ca06cd-6db1-4931-bdc6-c1d5d5d52624\nowners:\n - name: olix0r\n email: ver@buoyant.io\n - name: alpeb\n email: alejandro@buoyant.io\n - name: adleong\n email: alex@buoyant.io\n - name: hawkw\n email: eliza@buoyant.io\n - name: kleimkuhler\n email: kevinl@buoyant.io\n - name: pothulapati\n email: tarun@buoyant.io\n" }, { "path": "charts/linkerd-control-plane/.helmignore", "content": "# Patterns to ignore when building packages.\n# This supports shell glob matching, relative path matching, and\n# negation (prefixed with !). Only one pattern per line.\n.DS_Store\nOWNERS\n# Common VCS dirs\n.git/\n.gitignore\n.bzr/\n.bzrignore\n.hg/\n.hgignore\n.svn/\n# Common backup files\n*.swp\n*.bak\n*.tmp\n*~\n# Various IDEs\n.project\n.idea/\n*.tmproj\n" }, { "path": "charts/linkerd-control-plane/Chart.yaml", "content": "apiVersion: \"v2\"\n# this version will be updated by the CI before publishing the Helm tarball\nappVersion: edge-XX.X.X\ndescription: |\n Linkerd gives you observability, reliability, and security\n for your microservices — with no code change required.\ntype: application\nhome: https://linkerd.io\nkeywords:\n - service-mesh\nkubeVersion: \">=1.23.0-0\"\nname: \"linkerd-control-plane\"\nsources:\n - https://github.com/linkerd/linkerd2/\ndependencies:\n - name: partials\n version: 0.1.0\n repository: file://../partials\n# this version will be updated by the CI before publishing the Helm tarball\nversion: 0.0.0-undefined\nicon: https://linkerd.io/images/logo-only-200h.png\nmaintainers:\n - name: Linkerd authors\n email: cncf-linkerd-dev@lists.cncf.io\n url: https://linkerd.io/\n" }, { "path": "charts/linkerd-control-plane/README.md.gotmpl", "content": "{{ template \"chart.header\" . }}\n{{ template \"chart.description\" . }}\n\n{{ template \"chart.versionBadge\" . }}\n{{ template \"chart.typeBadge\" . }}\n{{ template \"chart.appVersionBadge\" . }}\n\n{{ template \"chart.homepageLine\" . }}\n\n## Quickstart and documentation\n\nYou can run Linkerd on any Kubernetes cluster in a matter of seconds. See the\n[Linkerd Getting Started Guide][getting-started] for how.\n\nFor more comprehensive documentation, start with the [Linkerd\ndocs][linkerd-docs].\n\n## Prerequisite: linkerd-crds chart\n\nBefore installing this chart, please install the `linkerd-crds` chart, which\ncreates all the CRDs that the components from the current chart require.\n\n## Prerequisite: identity certificates\n\nThe identity component of Linkerd requires setting up a trust anchor\ncertificate, and an issuer certificate with its key. These need to be provided\nto Helm by the user (unlike when using the `linkerd install` CLI which can\ngenerate these automatically). You can provide your own, or follow [these\ninstructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new\nones.\n\nAlternatively, both trust anchor and identity issuer certificates may be\nderived from in-cluster resources. Existing CA (trust anchor) certificates\n**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`.\nIssuer certificates **must** live in a `Secret` named\n`linkerd-identity-issuer`. Both resources should exist in the control-plane's\ninstall namespace. In order to use an existing CA, Linkerd needs to be\ninstalled with `identity.externalCA=true`. To use an existing issuer\ncertificate, Linkerd should be installed with\n`identity.issuer.scheme=kubernetes.io/tls`.\n\nA more comprehensive description is in the [automatic certificate rotation\nguide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions).\n\nNote that the provided certificates must be ECDSA certificates.\n\n## Adding Linkerd's Helm repository\n\nIncluded here for completeness-sake, but should have already been added when\n`linkerd-crds` was installed.\n\n```bash\n# To add the repo for Linkerd edge releases:\nhelm repo add linkerd https://helm.linkerd.io/edge\n```\n\n## Installing the chart\n\nYou must provide the certificates and keys described in the preceding section,\nand the same expiration date you used to generate the Issuer certificate.\n\n```bash\nhelm install linkerd-control-plane -n linkerd \\\n --set-file identityTrustAnchorsPEM=ca.crt \\\n --set-file identity.issuer.tls.crtPEM=issuer.crt \\\n --set-file identity.issuer.tls.keyPEM=issuer.key \\\n linkerd/linkerd-control-plane\n```\n\nNote that you require to install this chart in the same namespace you installed\nthe `linkerd-crds` chart.\n\n## Setting High-Availability\n\nBesides the default `values.yaml` file, the chart provides a `values-ha.yaml`\nfile that overrides some default values as to set things up under a\nhigh-availability scenario, analogous to the `--ha` option in `linkerd install`.\nValues such as higher number of replicas, higher memory/cpu limits and\naffinities are specified in that file.\n\nYou can get ahold of `values-ha.yaml` by fetching the chart files:\n\n```bash\nhelm fetch --untar linkerd/linkerd-control-plane\n```\n\nThen use the `-f` flag to provide the override file, for example:\n\n```bash\nhelm install linkerd-control-plane -n linkerd \\\n --set-file identityTrustAnchorsPEM=ca.crt \\\n --set-file identity.issuer.tls.crtPEM=issuer.crt \\\n --set-file identity.issuer.tls.keyPEM=issuer.key \\\n -f linkerd2/values-ha.yaml\n linkerd/linkerd-control-plane\n```\n\n## Get involved\n\n* Check out Linkerd's source code at [GitHub][linkerd2].\n* Join Linkerd's [user mailing list][linkerd-users], [developer mailing\n list][linkerd-dev], and [announcements mailing list][linkerd-announce].\n* Follow [@linkerd][twitter] on Twitter.\n* Join the [Linkerd Slack][slack].\n\n[getting-started]: https://linkerd.io/2/getting-started/\n[linkerd2]: https://github.com/linkerd/linkerd2\n[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce\n[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev\n[linkerd-docs]: https://linkerd.io/2/overview/\n[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users\n[slack]: http://slack.linkerd.io\n[twitter]: https://twitter.com/linkerd\n\n## Extensions for Linkerd\n\nThe current chart installs the core Linkerd components, which grant you\nreliability and security features. Other functionality is available through\nextensions. Check the corresponding docs for each one of the following\nextensions:\n\n* Observability:\n [Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/values.yaml)\n* Multicluster:\n [Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/values.yaml)\n\n{{ template \"chart.requirementsSection\" . }}\n\n{{ template \"chart.valuesSection\" . }}\n\n{{ template \"helm-docs.versionFooter\" . }}\n" }, { "path": "charts/linkerd-control-plane/templates/NOTES.txt", "content": "The Linkerd control plane was successfully installed 🎉\n\nTo help you manage your Linkerd service mesh you can install the Linkerd CLI by running:\n\n curl -sL https://run.linkerd.io/install | sh\n\nAlternatively, you can download the CLI directly via the Linkerd releases page:\n\n https://github.com/linkerd/linkerd2/releases/\n\nTo make sure everything works as expected, run the following:\n\n linkerd check\n\nThe viz extension can be installed by running:\n\n helm install linkerd-viz linkerd/linkerd-viz\n\nLooking for more? Visit https://linkerd.io/2/getting-started/\n" }, { "path": "charts/linkerd-control-plane/templates/config-rbac.yaml", "content": "---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n labels:\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\n name: ext-namespace-metadata-linkerd-config\n namespace: {{ .Release.Namespace }}\nrules:\n- apiGroups: [\"\"]\n resources: [\"configmaps\"]\n verbs: [\"get\"]\n resourceNames: [\"linkerd-config\"]\n{{- with .Values.configReaders }}\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: linkerd-config-reader\n namespace: {{ $.Release.Namespace }}\n labels:\n app.kubernetes.io/part-of: Linkerd\n linkerd.io/control-plane-ns: {{$.Release.Namespace}}\n {{- with $.Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nroleRef:\n kind: Role\n name: ext-namespace-metadata-linkerd-config\n apiGroup: rbac.authorization.k8s.io\nsubjects:\n{{- range . }}\n- kind: ServiceAccount\n name: {{ .name }}\n namespace: {{ .namespace }}\n{{- end }}\n...\n{{- end }}\n" }, { "path": "charts/linkerd-control-plane/templates/config.yaml", "content": "---\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: linkerd-config\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: controller\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\ndata:\n linkerd-crds-chart-version: linkerd-crds-1.0.0-edge\n values: |\n {{- $values := deepCopy .Values }}\n {{- /*\n WARNING! All sensitive or private data such as TLS keys must be removed\n here to avoid it being publicly readable.\n */ -}}\n {{- if kindIs \"map\" $values.identity.issuer.tls -}}\n {{- $_ := unset $values.identity.issuer.tls \"keyPEM\"}}\n {{- end -}}\n {{- if kindIs \"map\" $values.profileValidator -}}\n {{- $_ := unset $values.profileValidator \"keyPEM\"}}\n {{- end -}}\n {{- if kindIs \"map\" $values.proxyInjector -}}\n {{- $_ := unset $values.proxyInjector \"keyPEM\"}}\n {{- end -}}\n {{- if kindIs \"map\" $values.policyValidator -}}\n {{- $_ := unset $values.policyValidator \"keyPEM\"}}\n {{- end -}}\n {{- if (empty $values.identityTrustDomain) -}}\n {{- $_ := set $values \"identityTrustDomain\" $values.clusterDomain}}\n {{- end -}}\n {{- $_ := unset $values \"partials\"}}\n {{- $_ := unset $values \"configs\"}}\n {{- $_ := unset $values \"stage\"}}\n {{- toYaml $values | trim | nindent 4 }}\n" }, { "path": "charts/linkerd-control-plane/templates/destination-rbac.yaml", "content": "---\n###\n### Destination Controller Service\n###\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: linkerd-{{.Release.Namespace}}-destination\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nrules:\n- apiGroups: [\"apps\"]\n resources: [\"replicasets\"]\n verbs: [\"list\", \"get\", \"watch\"]\n- apiGroups: [\"batch\"]\n resources: [\"jobs\"]\n verbs: [\"list\", \"get\", \"watch\"]\n- apiGroups: [\"\"]\n resources: [\"pods\", \"endpoints\", \"services\", \"nodes\"]\n verbs: [\"list\", \"get\", \"watch\"]\n- apiGroups: [\"linkerd.io\"]\n resources: [\"serviceprofiles\"]\n verbs: [\"list\", \"get\", \"watch\"]\n- apiGroups: [\"workload.linkerd.io\"]\n resources: [\"externalworkloads\"]\n verbs: [\"list\", \"get\", \"watch\"]\n- apiGroups: [\"coordination.k8s.io\"]\n resources: [\"leases\"]\n verbs: [\"create\", \"get\", \"update\", \"patch\"]\n {{- if .Values.enableEndpointSlices }}\n- apiGroups: [\"discovery.k8s.io\"]\n resources: [\"endpointslices\"]\n verbs: [\"list\", \"get\", \"watch\", \"create\", \"update\", \"patch\", \"delete\"]\n {{- end }}\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: linkerd-{{.Release.Namespace}}-destination\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: linkerd-{{.Release.Namespace}}-destination\nsubjects:\n- kind: ServiceAccount\n name: linkerd-destination\n namespace: {{.Release.Namespace}}\n---\nkind: ServiceAccount\napiVersion: v1\nmetadata:\n name: linkerd-destination\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n{{- include \"partials.image-pull-secrets\" .Values.imagePullSecrets }}\n---\n{{- $host := printf \"linkerd-sp-validator.%s.svc\" .Release.Namespace }}\n{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}\n{{- if (not .Values.profileValidator.externalSecret) }}\nkind: Secret\napiVersion: v1\nmetadata:\n name: linkerd-sp-validator-k8s-tls\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\ntype: kubernetes.io/tls\ndata:\n tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.crtPEM)) (empty .Values.profileValidator.crtPEM) }}\n tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.profileValidator.keyPEM)) (empty .Values.profileValidator.keyPEM) }}\n---\n{{- end }}\n{{- include \"linkerd.webhook.validation\" .Values.profileValidator }}\napiVersion: admissionregistration.k8s.io/v1\nkind: ValidatingWebhookConfiguration\nmetadata:\n name: linkerd-sp-validator-webhook-config\n {{- if or (.Values.profileValidator.injectCaFrom) (.Values.profileValidator.injectCaFromSecret) }}\n annotations:\n {{- if .Values.profileValidator.injectCaFrom }}\n cert-manager.io/inject-ca-from: {{ .Values.profileValidator.injectCaFrom }}\n {{- end }}\n {{- if .Values.profileValidator.injectCaFromSecret }}\n cert-manager.io/inject-ca-from-secret: {{ .Values.profileValidator.injectCaFromSecret }}\n {{- end }}\n {{- end }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nwebhooks:\n- name: linkerd-sp-validator.linkerd.io\n namespaceSelector:\n {{- toYaml .Values.profileValidator.namespaceSelector | trim | nindent 4 }}\n clientConfig:\n service:\n name: linkerd-sp-validator\n namespace: {{ .Release.Namespace }}\n path: \"/\"\n {{- if and (empty .Values.profileValidator.injectCaFrom) (empty .Values.profileValidator.injectCaFromSecret) }}\n caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.caBundle)) (empty .Values.profileValidator.caBundle) }}\n {{- end }}\n failurePolicy: {{.Values.webhookFailurePolicy}}\n admissionReviewVersions: [\"v1\", \"v1beta1\"]\n rules:\n - operations: [\"CREATE\", \"UPDATE\"]\n apiGroups: [\"linkerd.io\"]\n apiVersions: [\"v1alpha1\", \"v1alpha2\"]\n resources: [\"serviceprofiles\"]\n sideEffects: None\n---\n{{- $host := printf \"linkerd-policy-validator.%s.svc\" .Release.Namespace }}\n{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}\n{{- if (not .Values.policyValidator.externalSecret) }}\nkind: Secret\napiVersion: v1\nmetadata:\n name: linkerd-policy-validator-k8s-tls\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\ntype: kubernetes.io/tls\ndata:\n tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.crtPEM)) (empty .Values.policyValidator.crtPEM) }}\n tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.policyValidator.keyPEM)) (empty .Values.policyValidator.keyPEM) }}\n---\n{{- end }}\n{{- include \"linkerd.webhook.validation\" .Values.policyValidator }}\napiVersion: admissionregistration.k8s.io/v1\nkind: ValidatingWebhookConfiguration\nmetadata:\n name: linkerd-policy-validator-webhook-config\n {{- if or (.Values.policyValidator.injectCaFrom) (.Values.policyValidator.injectCaFromSecret) }}\n annotations:\n {{- if .Values.policyValidator.injectCaFrom }}\n cert-manager.io/inject-ca-from: {{ .Values.policyValidator.injectCaFrom }}\n {{- end }}\n {{- if .Values.policyValidator.injectCaFromSecret }}\n cert-manager.io/inject-ca-from-secret: {{ .Values.policyValidator.injectCaFromSecret }}\n {{- end }}\n {{- end }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nwebhooks:\n- name: linkerd-policy-validator.linkerd.io\n namespaceSelector:\n {{- toYaml .Values.policyValidator.namespaceSelector | trim | nindent 4 }}\n clientConfig:\n service:\n name: linkerd-policy-validator\n namespace: {{ .Release.Namespace }}\n path: \"/\"\n {{- if and (empty .Values.policyValidator.injectCaFrom) (empty .Values.policyValidator.injectCaFromSecret) }}\n caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.caBundle)) (empty .Values.policyValidator.caBundle) }}\n {{- end }}\n failurePolicy: {{.Values.webhookFailurePolicy}}\n admissionReviewVersions: [\"v1\", \"v1beta1\"]\n rules:\n - operations: [\"CREATE\", \"UPDATE\"]\n apiGroups: [\"policy.linkerd.io\"]\n apiVersions: [\"*\"]\n resources:\n - authorizationpolicies\n - httplocalratelimitpolicies\n - httproutes\n - networkauthentications\n - meshtlsauthentications\n - serverauthorizations\n - servers\n - egressnetworks\n - operations: [\"CREATE\", \"UPDATE\"]\n apiGroups: [\"gateway.networking.k8s.io\"]\n apiVersions: [\"*\"]\n resources:\n - httproutes\n - grpcroutes\n - tlsroutes\n - tcproutes\n sideEffects: None\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: linkerd-policy\n labels:\n app.kubernetes.io/part-of: Linkerd\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nrules:\n - apiGroups:\n - \"\"\n resources:\n - pods\n verbs:\n - get\n - list\n - watch\n - apiGroups:\n - apps\n resources:\n - deployments\n verbs:\n - get\n - apiGroups:\n - policy.linkerd.io\n resources:\n - authorizationpolicies\n - httplocalratelimitpolicies\n - httproutes\n - meshtlsauthentications\n - networkauthentications\n - servers\n - serverauthorizations\n - egressnetworks\n verbs:\n - get\n - list\n - watch\n - apiGroups:\n - gateway.networking.k8s.io\n resources:\n - httproutes\n - grpcroutes\n - tlsroutes\n - tcproutes\n verbs:\n - get\n - list\n - watch\n - apiGroups:\n - policy.linkerd.io\n resources:\n - httproutes/status\n - httplocalratelimitpolicies/status\n - egressnetworks/status\n verbs:\n - patch\n - apiGroups:\n - gateway.networking.k8s.io\n resources:\n - httproutes/status\n - grpcroutes/status\n - tlsroutes/status\n - tcproutes/status\n verbs:\n - patch\n - apiGroups:\n - workload.linkerd.io\n resources:\n - externalworkloads\n verbs:\n - get\n - list\n - watch\n - apiGroups:\n - coordination.k8s.io\n resources:\n - leases\n verbs:\n - create\n - get\n - patch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: linkerd-destination-policy\n labels:\n app.kubernetes.io/part-of: Linkerd\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: linkerd-policy\nsubjects:\n - kind: ServiceAccount\n name: linkerd-destination\n namespace: {{.Release.Namespace}}\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: remote-discovery\n namespace: {{.Release.Namespace}}\n labels:\n app.kubernetes.io/part-of: Linkerd\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nrules:\n - apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - get\n - list\n - watch\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: linkerd-destination-remote-discovery\n namespace: {{.Release.Namespace}}\n labels:\n app.kubernetes.io/part-of: Linkerd\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: Role\n name: remote-discovery\nsubjects:\n - kind: ServiceAccount\n name: linkerd-destination\n namespace: {{.Release.Namespace}}\n" }, { "path": "charts/linkerd-control-plane/templates/destination.yaml", "content": "---\n###\n### Destination Controller Service\n###\nkind: Service\napiVersion: v1\nmetadata:\n name: linkerd-dst\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n type: ClusterIP\n selector:\n linkerd.io/control-plane-component: destination\n ports:\n - name: grpc\n port: 8086\n targetPort: 8086\n---\nkind: Service\napiVersion: v1\nmetadata:\n name: linkerd-dst-headless\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n clusterIP: None\n selector:\n linkerd.io/control-plane-component: destination\n ports:\n - name: grpc\n port: 8086\n targetPort: 8086\n---\nkind: Service\napiVersion: v1\nmetadata:\n name: linkerd-sp-validator\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n type: ClusterIP\n selector:\n linkerd.io/control-plane-component: destination\n ports:\n - name: sp-validator\n port: 443\n targetPort: sp-validator\n---\nkind: Service\napiVersion: v1\nmetadata:\n name: linkerd-policy\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n clusterIP: None\n selector:\n linkerd.io/control-plane-component: destination\n ports:\n - name: grpc\n port: 8090\n targetPort: 8090\n---\nkind: Service\napiVersion: v1\nmetadata:\n name: linkerd-policy-validator\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n type: ClusterIP\n selector:\n linkerd.io/control-plane-component: destination\n ports:\n - name: policy-https\n port: 443\n targetPort: policy-https\n{{- if .Values.enablePodDisruptionBudget }}\n---\nkind: PodDisruptionBudget\napiVersion: policy/v1\nmetadata:\n name: linkerd-dst\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}\n selector:\n matchLabels:\n linkerd.io/control-plane-component: destination\n{{- end }}\n---\n{{- $tree := deepCopy . }}\n{{ $_ := set $tree.Values.proxy \"workloadKind\" \"deployment\" -}}\n{{ $_ := set $tree.Values.proxy \"component\" \"linkerd-destination\" -}}\n{{ $_ := set $tree.Values.proxy \"waitBeforeExitSeconds\" 0 -}}\n{{- if not (empty .Values.destinationProxyResources) }}\n{{- $c := dig \"cores\" .Values.proxy.cores .Values.destinationProxyResources }}\n{{- $_ := set $tree.Values.proxy \"cores\" $c }}\n{{- $r := merge .Values.destinationProxyResources .Values.proxy.resources }}\n{{- $_ := set $tree.Values.proxy \"resources\" $r }}\n{{- end }}\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\n labels:\n app.kubernetes.io/name: destination\n app.kubernetes.io/part-of: Linkerd\n app.kubernetes.io/version: {{.Values.linkerdVersion}}\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n name: linkerd-destination\n namespace: {{ .Release.Namespace }}\nspec:\n replicas: {{.Values.controllerReplicas}}\n revisionHistoryLimit: {{.Values.revisionHistoryLimit}}\n selector:\n matchLabels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- include \"partials.proxy.labels\" $tree.Values.proxy | nindent 6}}\n {{- if .Values.deploymentStrategy }}\n strategy:\n {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n {{- end }}\n template:\n metadata:\n annotations:\n checksum/config: {{ include (print $.Template.BasePath \"/destination-rbac.yaml\") . | sha256sum }}\n {{ include \"partials.annotations.created-by\" . }}\n {{- include \"partials.proxy.annotations\" . | nindent 8}}\n {{- with (mergeOverwrite (deepCopy .Values.podAnnotations) .Values.destinationController.podAnnotations) }}{{ toYaml . | trim | nindent 8 }}{{- end }}\n config.linkerd.io/default-inbound-policy: \"all-unauthenticated\"\n labels:\n linkerd.io/control-plane-component: destination\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n linkerd.io/workload-ns: {{.Release.Namespace}}\n {{- include \"partials.proxy.labels\" $tree.Values.proxy | nindent 8}}\n {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}\n spec:\n {{- with .Values.runtimeClassName }}\n runtimeClassName: {{ . | quote }}\n {{- end }}\n {{- if .Values.tolerations -}}\n {{- include \"linkerd.tolerations\" . | nindent 6 }}\n {{- end -}}\n {{- include \"linkerd.node-selector\" . | nindent 6 }}\n {{- $_ := set $tree \"component\" \"destination\" -}}\n {{- with include \"linkerd.affinity\" $tree }}\n {{- . | nindent 6 }}\n {{- end }}\n automountServiceAccountToken: false\n containers:\n {{- $_ := set $tree.Values.proxy \"await\" $tree.Values.proxy.await }}\n {{- $_ := set $tree.Values.proxy \"loadTrustBundleFromConfigMap\" true }}\n {{- $_ := set $tree.Values.proxy \"podInboundPorts\" \"8086,8090,8443,9443,9990,9996,9997\" }}\n {{- $_ := set $tree.Values.proxy \"outboundDiscoveryCacheUnusedTimeout\" \"5s\" }}\n {{- $_ := set $tree.Values.proxy \"inboundDiscoveryCacheUnusedTimeout\" \"90s\" }}\n {{- /*\n The pod needs to accept webhook traffic, and we can't rely on that originating in the\n cluster network.\n */}}\n {{- $_ := set $tree.Values.proxy \"defaultInboundPolicy\" \"all-unauthenticated\" }}\n {{- $_ := set $tree.Values.proxy \"capabilities\" (dict \"drop\" (list \"ALL\")) }}\n {{- if not $tree.Values.proxy.nativeSidecar }}\n - {{- include \"partials.proxy\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{- end }}\n - args:\n - destination\n - -addr=:8086\n - -controller-namespace={{.Release.Namespace}}\n - -outbound-transport-mode={{.Values.proxy.outboundTransportMode}}\n - -enable-h2-upgrade={{.Values.enableH2Upgrade}}\n - -log-level={{.Values.controllerLogLevel}}\n - -log-format={{.Values.controllerLogFormat}}\n - -enable-endpoint-slices={{.Values.enableEndpointSlices}}\n - -cluster-domain={{.Values.clusterDomain}}\n - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}\n - -default-opaque-ports={{.Values.proxy.opaquePorts}}\n - -enable-ipv6={{not .Values.disableIPv6}}\n - -enable-pprof={{.Values.enablePprof | default false}}\n {{- if (.Values.destinationController).meshedHttp2ClientProtobuf }}\n - --meshed-http2-client-params={{ toJson .Values.destinationController.meshedHttp2ClientProtobuf }}\n {{- end }}\n {{- range (.Values.destinationController).additionalArgs }}\n - {{ . }}\n {{- end }}\n {{- range (.Values.destinationController).experimentalArgs }}\n - {{ . }}\n {{- end }}\n {{- if or (.Values.destinationController).additionalEnv (.Values.destinationController).experimentalEnv }}\n env:\n {{- with (.Values.destinationController).additionalEnv }}\n {{- toYaml . | nindent 8 -}}\n {{- end }}\n {{- with (.Values.destinationController).experimentalEnv }}\n {{- toYaml . | nindent 8 -}}\n {{- end }}\n {{- end }}\n {{- include \"partials.linkerd.trace\" . | nindent 8 -}}\n image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}\n imagePullPolicy: {{.Values.imagePullPolicy}}\n livenessProbe:\n httpGet:\n path: /ping\n port: 9996\n initialDelaySeconds: 10\n {{- with (.Values.destinationController.livenessProbe).timeoutSeconds }}\n timeoutSeconds: {{ . }}\n {{- end }}\n name: destination\n ports:\n - containerPort: 8086\n name: dest-grpc\n - containerPort: 9996\n name: dest-admin\n readinessProbe:\n failureThreshold: 7\n httpGet:\n path: /ready\n port: 9996\n {{- with (.Values.destinationController.readinessProbe).timeoutSeconds }}\n timeoutSeconds: {{ . }}\n {{- end }}\n {{- if .Values.destinationResources -}}\n {{- include \"partials.resources\" .Values.destinationResources | nindent 8 }}\n {{- end }}\n securityContext:\n capabilities:\n drop:\n - ALL\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: {{.Values.controllerUID}}\n {{- if ge (int .Values.controllerGID) 0 }}\n runAsGroup: {{.Values.controllerGID}}\n {{- end }}\n allowPrivilegeEscalation: false\n seccompProfile:\n type: RuntimeDefault\n volumeMounts:\n - mountPath: /var/run/secrets/kubernetes.io/serviceaccount\n name: kube-api-access\n readOnly: true\n - args:\n - sp-validator\n - -log-level={{.Values.controllerLogLevel}}\n - -log-format={{.Values.controllerLogFormat}}\n - -enable-pprof={{.Values.enablePprof | default false}}\n {{- if or (.Values.spValidator).additionalEnv (.Values.spValidator).experimentalEnv }}\n env:\n {{- with (.Values.spValidator).additionalEnv }}\n {{- toYaml . | nindent 8 -}}\n {{- end }}\n {{- with (.Values.spValidator).experimentalEnv }}\n {{- toYaml . | nindent 8 -}}\n {{- end }}\n {{- end }}\n image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}\n imagePullPolicy: {{.Values.imagePullPolicy}}\n livenessProbe:\n httpGet:\n path: /ping\n port: 9997\n initialDelaySeconds: 10\n {{- with ((.Values.spValidator).livenessProbe).timeoutSeconds }}\n timeoutSeconds: {{ . }}\n {{- end }}\n name: sp-validator\n ports:\n - containerPort: 8443\n name: sp-validator\n - containerPort: 9997\n name: spval-admin\n readinessProbe:\n failureThreshold: 7\n httpGet:\n path: /ready\n port: 9997\n {{- with ((.Values.spValidator).readinessProbe).timeoutSeconds }}\n timeoutSeconds: {{ . }}\n {{- end }}\n {{- if .Values.spValidatorResources -}}\n {{- include \"partials.resources\" .Values.spValidatorResources | nindent 8 }}\n {{- end }}\n securityContext:\n capabilities:\n drop:\n - ALL\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: {{.Values.controllerUID}}\n {{- if ge (int .Values.controllerGID) 0 }}\n runAsGroup: {{.Values.controllerGID}}\n {{- end }}\n allowPrivilegeEscalation: false\n seccompProfile:\n type: RuntimeDefault\n volumeMounts:\n - mountPath: /var/run/linkerd/tls\n name: sp-tls\n readOnly: true\n - mountPath: /var/run/secrets/kubernetes.io/serviceaccount\n name: kube-api-access\n readOnly: true\n - command: [\"/linkerd-policy-controller\"]\n args:\n - --admin-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9990\n - --control-plane-namespace={{.Release.Namespace}}\n - --grpc-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:8090\n - --server-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9443\n - --server-tls-key=/var/run/linkerd/tls/tls.key\n - --server-tls-certs=/var/run/linkerd/tls/tls.crt\n - --cluster-networks={{.Values.clusterNetworks}}\n - --identity-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}\n - --cluster-domain={{.Values.clusterDomain}}\n - --default-policy={{.Values.proxy.defaultInboundPolicy}}\n - --log-level={{.Values.policyController.logLevel | default \"linkerd=info,warn\"}}\n - --log-format={{.Values.controllerLogFormat}}\n - --default-opaque-ports={{.Values.proxy.opaquePorts}}\n - --global-egress-network-namespace={{.Values.egress.globalEgressNetworkNamespace}}\n {{- if .Values.policyController.probeNetworks }}\n - --probe-networks={{.Values.policyController.probeNetworks | join \",\"}}\n {{- end}}\n {{- range .Values.policyController.additionalArgs }}\n - {{ . }}\n {{- end }}\n {{- range .Values.policyController.experimentalArgs }}\n - {{ . }}\n {{- end }}\n image: {{ .Values.controllerImage }}:{{ .Values.controllerImageVersion | default .Values.linkerdVersion }}\n imagePullPolicy: {{ .Values.imagePullPolicy }}\n livenessProbe:\n httpGet:\n path: /live\n port: policy-admin\n initialDelaySeconds: 10\n {{- with (.Values.policyController.livenessProbe).timeoutSeconds }}\n timeoutSeconds: {{ . }}\n {{- end }}\n name: policy\n ports:\n - containerPort: 8090\n name: policy-grpc\n - containerPort: 9990\n name: policy-admin\n - containerPort: 9443\n name: policy-https\n readinessProbe:\n failureThreshold: 7\n httpGet:\n path: /ready\n port: policy-admin\n {{- with (.Values.policyController.readinessProbe).timeoutSeconds }}\n timeoutSeconds: {{ . }}\n {{- end }}\n {{- if .Values.policyController.resources }}\n {{- include \"partials.resources\" .Values.policyController.resources | nindent 8 }}\n {{- end }}\n securityContext:\n capabilities:\n drop:\n - ALL\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: {{.Values.controllerUID}}\n {{- if ge (int .Values.controllerGID) 0 }}\n runAsGroup: {{.Values.controllerGID}}\n {{- end }}\n allowPrivilegeEscalation: false\n seccompProfile:\n type: RuntimeDefault\n volumeMounts:\n - mountPath: /var/run/linkerd/tls\n name: policy-tls\n readOnly: true\n - mountPath: /var/run/secrets/kubernetes.io/serviceaccount\n name: kube-api-access\n readOnly: true\n initContainers:\n {{ if .Values.cniEnabled -}}\n - {{- include \"partials.network-validator\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ else -}}\n {{- /*\n The destination controller needs to connect to the Kubernetes API before the proxy is able\n to proxy requests, so we always skip these connections.\n */}}\n {{- $_ := set $tree.Values.proxyInit \"ignoreOutboundPorts\" .Values.proxyInit.kubeAPIServerPorts -}}\n - {{- include \"partials.proxy-init\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n {{- if $tree.Values.proxy.nativeSidecar }}\n {{- $_ := set $tree.Values.proxy \"startupProbeInitialDelaySeconds\" 35 }}\n {{- $_ := set $tree.Values.proxy \"startupProbePeriodSeconds\" 5 }}\n {{- $_ := set $tree.Values.proxy \"startupProbeFailureThreshold\" 20 }}\n - {{- include \"partials.proxy\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n {{- if .Values.priorityClassName -}}\n priorityClassName: {{ .Values.priorityClassName }}\n {{ end -}}\n securityContext:\n seccompProfile:\n type: RuntimeDefault\n serviceAccountName: linkerd-destination\n volumes:\n - name: sp-tls\n secret:\n secretName: linkerd-sp-validator-k8s-tls\n - name: policy-tls\n secret:\n secretName: linkerd-policy-validator-k8s-tls\n - {{- include \"partials.volumes.manual-mount-service-account-token\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ if not .Values.cniEnabled -}}\n - {{- include \"partials.proxyInit.volumes.xtables\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n {{if .Values.identity.serviceAccountTokenProjection -}}\n - {{- include \"partials.proxy.volumes.service-account-token\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n - {{- include \"partials.proxy.volumes.identity\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ if ((.Values.proxy.tracing).enabled) -}}\n - {{- include \"partials.proxy.volumes.podinfo\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end }}\n" }, { "path": "charts/linkerd-control-plane/templates/heartbeat-rbac.yaml", "content": "{{ if not .Values.disableHeartBeat -}}\n---\n###\n### Heartbeat RBAC\n###\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: linkerd-heartbeat\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nrules:\n- apiGroups: [\"\"]\n resources: [\"configmaps\"]\n verbs: [\"get\"]\n resourceNames: [\"linkerd-config\"]\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: linkerd-heartbeat\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nroleRef:\n kind: Role\n name: linkerd-heartbeat\n apiGroup: rbac.authorization.k8s.io\nsubjects:\n- kind: ServiceAccount\n name: linkerd-heartbeat\n namespace: {{.Release.Namespace}}\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: linkerd-heartbeat\n labels:\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nrules:\n- apiGroups: [\"\"]\n resources: [\"namespaces\"]\n verbs: [\"list\"]\n- apiGroups: [\"linkerd.io\"]\n resources: [\"serviceprofiles\"]\n verbs: [\"list\"]\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: linkerd-heartbeat\n labels:\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nroleRef:\n kind: ClusterRole\n name: linkerd-heartbeat\n apiGroup: rbac.authorization.k8s.io\nsubjects:\n- kind: ServiceAccount\n name: linkerd-heartbeat\n namespace: {{.Release.Namespace}}\n---\nkind: ServiceAccount\napiVersion: v1\nmetadata:\n name: linkerd-heartbeat\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: heartbeat\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n{{- include \"partials.image-pull-secrets\" .Values.imagePullSecrets }}\n{{- end }}\n" }, { "path": "charts/linkerd-control-plane/templates/heartbeat.yaml", "content": "{{ if not .Values.disableHeartBeat -}}\n---\n###\n### Heartbeat\n###\napiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: linkerd-heartbeat\n namespace: {{ .Release.Namespace }}\n labels:\n app.kubernetes.io/name: heartbeat\n app.kubernetes.io/part-of: Linkerd\n app.kubernetes.io/version: {{.Values.linkerdVersion}}\n linkerd.io/control-plane-component: heartbeat\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n concurrencyPolicy: Replace\n {{ if .Values.heartbeatSchedule -}}\n schedule: \"{{.Values.heartbeatSchedule}}\"\n {{ else -}}\n schedule: \"{{ dateInZone \"04 15 * * *\" (now | mustDateModify \"+10m\") \"UTC\"}}\"\n {{ end -}}\n successfulJobsHistoryLimit: 0\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n linkerd.io/control-plane-component: heartbeat\n linkerd.io/workload-ns: {{.Release.Namespace}}\n {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 12 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\n {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 12 }}{{- end }}\n spec:\n {{- if .Values.priorityClassName }}\n priorityClassName: {{ .Values.priorityClassName }}\n {{- end -}}\n {{- with .Values.runtimeClassName }}\n runtimeClassName: {{ . | quote }}\n {{- end }}\n {{- if .Values.tolerations -}}\n {{- include \"linkerd.tolerations\" . | nindent 10 }}\n {{- end -}}\n {{- include \"linkerd.node-selector\" . | nindent 10 }}\n securityContext:\n seccompProfile:\n type: RuntimeDefault\n serviceAccountName: linkerd-heartbeat\n restartPolicy: Never\n automountServiceAccountToken: false\n containers:\n - name: heartbeat\n image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}\n imagePullPolicy: {{.Values.imagePullPolicy}}\n env:\n - name: LINKERD_DISABLED\n value: \"the heartbeat controller does not use the proxy\"\n {{- with (.Values.heartbeat).additionalEnv }}\n {{- toYaml . | nindent 12 -}}\n {{- end }}\n {{- with (.Values.heartbeat).experimentalEnv }}\n {{- toYaml . | nindent 12 -}}\n {{- end }}\n args:\n - \"heartbeat\"\n - \"-controller-namespace={{.Release.Namespace}}\"\n - \"-log-level={{.Values.controllerLogLevel}}\"\n - \"-log-format={{.Values.controllerLogFormat}}\"\n {{- if .Values.prometheusUrl }}\n - \"-prometheus-url={{.Values.prometheusUrl}}\"\n {{- else }}\n - \"-prometheus-url=http://prometheus.linkerd-viz.svc.{{.Values.clusterDomain}}:9090\"\n {{- end }}\n {{- if .Values.heartbeatResources -}}\n {{- include \"partials.resources\" .Values.heartbeatResources | nindent 12 }}\n {{- end }}\n securityContext:\n capabilities:\n drop:\n - ALL\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: {{.Values.controllerUID}}\n {{- if ge (int .Values.controllerGID) 0 }}\n runAsGroup: {{.Values.controllerGID}}\n {{- end }}\n allowPrivilegeEscalation: false\n seccompProfile:\n type: RuntimeDefault\n volumeMounts:\n - mountPath: /var/run/secrets/kubernetes.io/serviceaccount\n name: kube-api-access\n readOnly: true\n volumes:\n - {{- include \"partials.volumes.manual-mount-service-account-token\" . | indent 12 | trimPrefix (repeat 11 \" \") }}\n{{- end }}\n" }, { "path": "charts/linkerd-control-plane/templates/identity-rbac.yaml", "content": "---\n###\n### Identity Controller Service RBAC\n###\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: linkerd-{{.Release.Namespace}}-identity\n labels:\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nrules:\n- apiGroups: [\"authentication.k8s.io\"]\n resources: [\"tokenreviews\"]\n verbs: [\"create\"]\n# TODO(ver) Restrict this to the Linkerd namespace. See\n# https://github.com/linkerd/linkerd2/issues/9367\n- apiGroups: [\"\"]\n resources: [\"events\"]\n verbs: [\"create\", \"patch\"]\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: linkerd-{{.Release.Namespace}}-identity\n labels:\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: linkerd-{{.Release.Namespace}}-identity\nsubjects:\n- kind: ServiceAccount\n name: linkerd-identity\n namespace: {{.Release.Namespace}}\n---\nkind: ServiceAccount\napiVersion: v1\nmetadata:\n name: linkerd-identity\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n{{- include \"partials.image-pull-secrets\" .Values.imagePullSecrets }}\n" }, { "path": "charts/linkerd-control-plane/templates/identity.yaml", "content": "{{if .Values.identity -}}\n---\n###\n### Identity Controller Service\n###\n{{ if and (.Values.identity.issuer) (eq .Values.identity.issuer.scheme \"linkerd.io/tls\") -}}\nkind: Secret\napiVersion: v1\nmetadata:\n name: linkerd-identity-issuer\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\ndata:\n crt.pem: {{b64enc (required \"Please provide the identity issuer certificate\" .Values.identity.issuer.tls.crtPEM | trim)}}\n key.pem: {{b64enc (required \"Please provide the identity issue private key\" .Values.identity.issuer.tls.keyPEM | trim)}}\n---\n{{- end}}\n{{ if not (.Values.identity.externalCA) -}}\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: linkerd-identity-trust-roots\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\ndata:\n ca-bundle.crt: |-{{.Values.identityTrustAnchorsPEM | trim | nindent 4}}\n---\n{{- end}}\nkind: Service\napiVersion: v1\nmetadata:\n name: linkerd-identity\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n type: ClusterIP\n selector:\n linkerd.io/control-plane-component: identity\n ports:\n - name: grpc\n port: 8080\n targetPort: 8080\n---\nkind: Service\napiVersion: v1\nmetadata:\n name: linkerd-identity-headless\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n clusterIP: None\n selector:\n linkerd.io/control-plane-component: identity\n ports:\n - name: grpc\n port: 8080\n targetPort: 8080\n---\n{{- if .Values.enablePodDisruptionBudget }}\nkind: PodDisruptionBudget\napiVersion: policy/v1\nmetadata:\n name: linkerd-identity\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}\n selector:\n matchLabels:\n linkerd.io/control-plane-component: identity\n---\n{{- end }}\n{{- $tree := deepCopy . }}\n{{ $_ := set $tree.Values.proxy \"workloadKind\" \"deployment\" -}}\n{{ $_ := set $tree.Values.proxy \"component\" \"linkerd-identity\" -}}\n{{ $_ := set $tree.Values.proxy \"waitBeforeExitSeconds\" 0 -}}\n{{- if not (empty .Values.identityProxyResources) }}\n{{- $c := dig \"cores\" .Values.proxy.cores .Values.identityProxyResources }}\n{{- $_ := set $tree.Values.proxy \"cores\" $c }}\n{{- $r := merge .Values.identityProxyResources .Values.proxy.resources }}\n{{- $_ := set $tree.Values.proxy \"resources\" $r }}\n{{- end }}\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\n labels:\n app.kubernetes.io/name: identity\n app.kubernetes.io/part-of: Linkerd\n app.kubernetes.io/version: {{.Values.linkerdVersion}}\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n name: linkerd-identity\n namespace: {{ .Release.Namespace }}\nspec:\n replicas: {{.Values.controllerReplicas}}\n revisionHistoryLimit: {{.Values.revisionHistoryLimit}}\n selector:\n matchLabels:\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- include \"partials.proxy.labels\" $tree.Values.proxy | nindent 6}}\n {{- if .Values.deploymentStrategy }}\n strategy:\n {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n {{- end }}\n template:\n metadata:\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\n {{- include \"partials.proxy.annotations\" . | nindent 8}}\n {{- with (mergeOverwrite (deepCopy .Values.podAnnotations) .Values.identity.podAnnotations) }}{{ toYaml . | trim | nindent 8 }}{{- end }}\n config.linkerd.io/default-inbound-policy: \"all-unauthenticated\"\n labels:\n linkerd.io/control-plane-component: identity\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n linkerd.io/workload-ns: {{.Release.Namespace}}\n {{- include \"partials.proxy.labels\" $tree.Values.proxy | nindent 8}}\n {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}\n spec:\n {{- with .Values.runtimeClassName }}\n runtimeClassName: {{ . | quote }}\n {{- end }}\n {{- if .Values.tolerations -}}\n {{- include \"linkerd.tolerations\" . | nindent 6 }}\n {{- end -}}\n {{- include \"linkerd.node-selector\" . | nindent 6 }}\n {{- $_ := set $tree \"component\" \"identity\" -}}\n {{- with include \"linkerd.affinity\" $tree }}\n {{- . | nindent 6 }}\n {{- end }}\n automountServiceAccountToken: false\n containers:\n - args:\n - identity\n - -log-level={{.Values.controllerLogLevel}}\n - -log-format={{.Values.controllerLogFormat}}\n - -controller-namespace={{.Release.Namespace}}\n - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}\n - -identity-issuance-lifetime={{.Values.identity.issuer.issuanceLifetime}}\n - -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}}\n - -identity-scheme={{.Values.identity.issuer.scheme}}\n - -enable-pprof={{.Values.enablePprof | default false}}\n - -kube-apiclient-qps={{.Values.identity.kubeAPI.clientQPS}}\n - -kube-apiclient-burst={{.Values.identity.kubeAPI.clientBurst}}\n {{- include \"partials.linkerd.trace\" . | nindent 8 -}}\n env:\n - name: LINKERD_DISABLED\n value: \"linkerd-await cannot block the identity controller\"\n {{- with (.Values.identity).additionalEnv }}\n {{- toYaml . | nindent 8 -}}\n {{- end }}\n {{- with (.Values.identity).experimentalEnv }}\n {{- toYaml . | nindent 8 -}}\n {{- end }}\n image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}\n imagePullPolicy: {{.Values.imagePullPolicy}}\n livenessProbe:\n httpGet:\n path: /ping\n port: 9990\n initialDelaySeconds: 10\n {{- with (.Values.identity.livenessProbe).timeoutSeconds }}\n timeoutSeconds: {{ . }}\n {{- end }}\n name: identity\n ports:\n - containerPort: 8080\n name: ident-grpc\n - containerPort: 9990\n name: ident-admin\n readinessProbe:\n failureThreshold: 7\n httpGet:\n path: /ready\n port: 9990\n {{- with (.Values.identity.readinessProbe).timeoutSeconds }}\n timeoutSeconds: {{ . }}\n {{- end }}\n {{- if .Values.identityResources -}}\n {{- include \"partials.resources\" .Values.identityResources | nindent 8 }}\n {{- end }}\n securityContext:\n capabilities:\n drop:\n - ALL\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: {{.Values.controllerUID}}\n {{- if ge (int .Values.controllerGID) 0 }}\n runAsGroup: {{.Values.controllerGID}}\n {{- end }}\n allowPrivilegeEscalation: false\n seccompProfile:\n type: RuntimeDefault\n volumeMounts:\n - mountPath: /var/run/linkerd/identity/issuer\n name: identity-issuer\n - mountPath: /var/run/linkerd/identity/trust-roots/\n name: trust-roots\n - mountPath: /var/run/secrets/kubernetes.io/serviceaccount\n name: kube-api-access\n readOnly: true\n {{- $_ := set $tree.Values.proxy \"await\" false }}\n {{- $_ := set $tree.Values.proxy \"loadTrustBundleFromConfigMap\" true }}\n {{- $_ := set $tree.Values.proxy \"podInboundPorts\" \"8080,9990\" }}\n {{- $_ := set $tree.Values.proxy \"nativeSidecar\" false }}\n {{- /*\n The identity controller cannot discover policies, so we configure it with defaults that\n enforce TLS on the identity service.\n */}}\n {{- $_ := set $tree.Values.proxy \"defaultInboundPolicy\" \"all-unauthenticated\" }}\n {{- $_ := set $tree.Values.proxy \"requireTLSOnInboundPorts\" \"8080\" }}\n {{- $_ := set $tree.Values.proxy \"capabilities\" (dict \"drop\" (list \"ALL\")) }}\n {{- $_ := set $tree.Values.proxy \"outboundDiscoveryCacheUnusedTimeout\" \"5s\" }}\n {{- $_ := set $tree.Values.proxy \"inboundDiscoveryCacheUnusedTimeout\" \"90s\" }}\n - {{- include \"partials.proxy\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n initContainers:\n {{ if .Values.cniEnabled -}}\n - {{- include \"partials.network-validator\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ else -}}\n {{- /*\n The identity controller needs to connect to the Kubernetes API before the proxy is able to\n proxy requests, so we always skip these connections. The identity controller makes no other\n outbound connections (so it's not important to persist any other skip ports here)\n */}}\n {{- $_ := set $tree.Values.proxyInit \"ignoreOutboundPorts\" .Values.proxyInit.kubeAPIServerPorts -}}\n - {{- include \"partials.proxy-init\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n {{- if .Values.priorityClassName -}}\n priorityClassName: {{ .Values.priorityClassName }}\n {{ end -}}\n securityContext:\n seccompProfile:\n type: RuntimeDefault\n serviceAccountName: linkerd-identity\n volumes:\n - name: identity-issuer\n secret:\n secretName: linkerd-identity-issuer\n - configMap:\n name: linkerd-identity-trust-roots\n name: trust-roots\n - {{- include \"partials.volumes.manual-mount-service-account-token\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ if not .Values.cniEnabled -}}\n - {{- include \"partials.proxyInit.volumes.xtables\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n {{ if .Values.identity.serviceAccountTokenProjection -}}\n - {{- include \"partials.proxy.volumes.service-account-token\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n - {{- include \"partials.proxy.volumes.identity\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{- if ((.Values.proxy.tracing).enabled) }}\n - {{- include \"partials.proxy.volumes.podinfo\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{- end }}\n{{end -}}\n" }, { "path": "charts/linkerd-control-plane/templates/namespace.yaml", "content": "{{- if eq .Release.Service \"CLI\" -}}\n---\n###\n### Linkerd Namespace\n###\nkind: Namespace\napiVersion: v1\nmetadata:\n name: {{ .Release.Namespace }}\n annotations:\n linkerd.io/inject: disabled\n labels:\n linkerd.io/is-control-plane: \"true\"\n config.linkerd.io/admission-webhooks: disabled\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- /* linkerd-init requires extended capabilities and so requires priviledged mode */}}\n pod-security.kubernetes.io/enforce: {{ ternary \"restricted\" \"privileged\" .Values.cniEnabled }}\n{{ end -}}\n" }, { "path": "charts/linkerd-control-plane/templates/podmonitor.yaml", "content": "{{- $podMonitor := .Values.podMonitor -}}\n{{- if and $podMonitor.enabled $podMonitor.controller.enabled }}\n---\n###\n### Prometheus Operator PodMonitor for Linkerd control-plane\n###\napiVersion: monitoring.coreos.com/v1\nkind: PodMonitor\nmetadata:\n name: \"linkerd-controller\"\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-ns: {{ .Release.Namespace }}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n namespaceSelector: {{ tpl .Values.podMonitor.controller.namespaceSelector . | nindent 4 }}\n selector:\n matchLabels: {}\n podMetricsEndpoints:\n - interval: {{ $podMonitor.scrapeInterval }}\n scrapeTimeout: {{ $podMonitor.scrapeTimeout }}\n relabelings:\n - sourceLabels:\n - __meta_kubernetes_pod_container_port_name\n action: keep\n regex: .*-admin$\n - sourceLabels:\n - __meta_kubernetes_pod_container_port_name\n action: drop\n regex: linkerd-admin\n - sourceLabels:\n - __meta_kubernetes_pod_container_name\n action: replace\n targetLabel: component\n{{- end }}\n{{- if and $podMonitor.enabled $podMonitor.serviceMirror.enabled }}\n---\n###\n### Prometheus Operator PodMonitor for Linkerd Service Mirror (multi-cluster)\n###\napiVersion: monitoring.coreos.com/v1\nkind: PodMonitor\nmetadata:\n name: \"linkerd-multicluster-controller\"\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-ns: {{ .Release.Namespace }}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n namespaceSelector:\n any: true\n selector:\n matchLabels: {}\n podMetricsEndpoints:\n - interval: {{ $podMonitor.scrapeInterval }}\n scrapeTimeout: {{ $podMonitor.scrapeTimeout }}\n relabelings:\n - sourceLabels:\n - __meta_kubernetes_pod_label_linkerd_io_control_plane_component\n - __meta_kubernetes_pod_container_port_name\n action: keep\n regex: (linkerd-service-mirror|controller);.*-admin$\n - sourceLabels:\n - __meta_kubernetes_pod_container_port_name\n action: drop\n regex: linkerd-admin\n - sourceLabels:\n - __meta_kubernetes_pod_container_name\n action: replace\n targetLabel: component\n{{- end }}\n{{- if and $podMonitor.enabled $podMonitor.proxy.enabled }}\n---\n###\n### Prometheus Operator PodMonitor Linkerd data-plane\n###\napiVersion: monitoring.coreos.com/v1\nkind: PodMonitor\nmetadata:\n name: \"linkerd-proxy\"\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-ns: {{ .Release.Namespace }}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n namespaceSelector:\n any: true\n selector:\n matchLabels: {}\n podMetricsEndpoints:\n - interval: {{ $podMonitor.scrapeInterval }}\n scrapeTimeout: {{ $podMonitor.scrapeTimeout }}\n relabelings:\n - sourceLabels:\n - __meta_kubernetes_pod_container_name\n - __meta_kubernetes_pod_container_port_name\n - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns\n action: keep\n regex: ^linkerd-proxy;linkerd-admin;{{ .Release.Namespace }}$\n - sourceLabels: [ __meta_kubernetes_namespace ]\n action: replace\n targetLabel: namespace\n - sourceLabels: [ __meta_kubernetes_pod_name ]\n action: replace\n targetLabel: pod\n - sourceLabels: [ __meta_kubernetes_pod_label_linkerd_io_proxy_job ]\n action: replace\n targetLabel: k8s_job\n - action: labeldrop\n regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job\n - action: labelmap\n regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)\n - action: labeldrop\n regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)\n - action: labelmap\n regex: __meta_kubernetes_pod_label_linkerd_io_(.+)\n - action: labelmap\n regex: __meta_kubernetes_pod_label_(.+)\n replacement: __tmp_pod_label_$1\n - action: labelmap\n regex: __tmp_pod_label_linkerd_io_(.+)\n replacement: __tmp_pod_label_$1\n - action: labeldrop\n regex: __tmp_pod_label_linkerd_io_(.+)\n - action: labelmap\n regex: __tmp_pod_label_(.+)\n{{- end }}\n" }, { "path": "charts/linkerd-control-plane/templates/proxy-injector-rbac.yaml", "content": "---\n###\n### Proxy Injector RBAC\n###\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: linkerd-{{.Release.Namespace}}-proxy-injector\n labels:\n linkerd.io/control-plane-component: proxy-injector\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nrules:\n- apiGroups: [\"\"]\n resources: [\"events\"]\n verbs: [\"create\", \"patch\"]\n- apiGroups: [\"\"]\n resources: [\"namespaces\", \"replicationcontrollers\"]\n verbs: [\"list\", \"get\", \"watch\"]\n- apiGroups: [\"\"]\n resources: [\"pods\"]\n verbs: [\"list\", \"watch\"]\n- apiGroups: [\"extensions\", \"apps\"]\n resources: [\"deployments\", \"replicasets\", \"daemonsets\", \"statefulsets\"]\n verbs: [\"list\", \"get\", \"watch\"]\n- apiGroups: [\"extensions\", \"batch\"]\n resources: [\"cronjobs\", \"jobs\"]\n verbs: [\"list\", \"get\", \"watch\"]\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: linkerd-{{.Release.Namespace}}-proxy-injector\n labels:\n linkerd.io/control-plane-component: proxy-injector\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nsubjects:\n- kind: ServiceAccount\n name: linkerd-proxy-injector\n namespace: {{.Release.Namespace}}\n apiGroup: \"\"\nroleRef:\n kind: ClusterRole\n name: linkerd-{{.Release.Namespace}}-proxy-injector\n apiGroup: rbac.authorization.k8s.io\n---\nkind: ServiceAccount\napiVersion: v1\nmetadata:\n name: linkerd-proxy-injector\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: proxy-injector\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n{{- include \"partials.image-pull-secrets\" .Values.imagePullSecrets }}\n---\n{{- $host := printf \"linkerd-proxy-injector.%s.svc\" .Release.Namespace }}\n{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}\n{{- if (not .Values.proxyInjector.externalSecret) }}\nkind: Secret\napiVersion: v1\nmetadata:\n name: linkerd-proxy-injector-k8s-tls\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: proxy-injector\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\ntype: kubernetes.io/tls\ndata:\n tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.crtPEM)) (empty .Values.proxyInjector.crtPEM) }}\n tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.proxyInjector.keyPEM)) (empty .Values.proxyInjector.keyPEM) }}\n---\n{{- end }}\n{{- include \"linkerd.webhook.validation\" .Values.proxyInjector }}\napiVersion: admissionregistration.k8s.io/v1\nkind: MutatingWebhookConfiguration\nmetadata:\n name: linkerd-proxy-injector-webhook-config\n {{- if or (.Values.proxyInjector.injectCaFrom) (.Values.proxyInjector.injectCaFromSecret) }}\n annotations:\n {{- if .Values.proxyInjector.injectCaFrom }}\n cert-manager.io/inject-ca-from: {{ .Values.proxyInjector.injectCaFrom }}\n {{- end }}\n {{- if .Values.proxyInjector.injectCaFromSecret }}\n cert-manager.io/inject-ca-from-secret: {{ .Values.proxyInjector.injectCaFromSecret }}\n {{- end }}\n {{- end }}\n labels:\n linkerd.io/control-plane-component: proxy-injector\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nwebhooks:\n- name: linkerd-proxy-injector.linkerd.io\n namespaceSelector:\n {{- toYaml .Values.proxyInjector.namespaceSelector | trim | nindent 4 }}\n objectSelector:\n {{- toYaml .Values.proxyInjector.objectSelector | trim | nindent 4 }}\n clientConfig:\n service:\n name: linkerd-proxy-injector\n namespace: {{ .Release.Namespace }}\n path: \"/\"\n {{- if and (empty .Values.proxyInjector.injectCaFrom) (empty .Values.proxyInjector.injectCaFromSecret) }}\n caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.caBundle)) (empty .Values.proxyInjector.caBundle) }}\n {{- end }}\n failurePolicy: {{.Values.webhookFailurePolicy}}\n admissionReviewVersions: [\"v1\", \"v1beta1\"]\n rules:\n - operations: [ \"CREATE\" ]\n apiGroups: [\"\"]\n apiVersions: [\"v1\"]\n resources: [\"pods\", \"services\"]\n scope: \"Namespaced\"\n sideEffects: None\n timeoutSeconds: {{ .Values.proxyInjector.timeoutSeconds | default 10 }}\n" }, { "path": "charts/linkerd-control-plane/templates/proxy-injector.yaml", "content": "---\n###\n### Proxy Injector\n###\n{{- $tree := deepCopy . }}\n{{ $_ := set $tree.Values.proxy \"workloadKind\" \"deployment\" -}}\n{{ $_ := set $tree.Values.proxy \"component\" \"linkerd-proxy-injector\" -}}\n{{ $_ := set $tree.Values.proxy \"waitBeforeExitSeconds\" 0 -}}\n{{- if not (empty .Values.proxyInjectorProxyResources) }}\n{{- $c := dig \"cores\" .Values.proxy.cores .Values.proxyInjectorProxyResources }}\n{{- $_ := set $tree.Values.proxy \"cores\" $c }}\n{{- $r := merge .Values.proxyInjectorProxyResources .Values.proxy.resources }}\n{{- $_ := set $tree.Values.proxy \"resources\" $r }}\n{{- end }}\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\n labels:\n app.kubernetes.io/name: proxy-injector\n app.kubernetes.io/part-of: Linkerd\n app.kubernetes.io/version: {{.Values.linkerdVersion}}\n linkerd.io/control-plane-component: proxy-injector\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n name: linkerd-proxy-injector\n namespace: {{ .Release.Namespace }}\nspec:\n replicas: {{.Values.controllerReplicas}}\n revisionHistoryLimit: {{.Values.revisionHistoryLimit}}\n selector:\n matchLabels:\n linkerd.io/control-plane-component: proxy-injector\n {{- if .Values.deploymentStrategy }}\n strategy:\n {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n {{- end }}\n template:\n metadata:\n annotations:\n checksum/config: {{ include (print $.Template.BasePath \"/proxy-injector-rbac.yaml\") . | sha256sum }}\n {{ include \"partials.annotations.created-by\" . }}\n {{- include \"partials.proxy.annotations\" . | nindent 8}}\n {{- with (mergeOverwrite (deepCopy .Values.podAnnotations) .Values.identity.podAnnotations) }}{{ toYaml . | trim | nindent 8 }}{{- end }}\n config.linkerd.io/opaque-ports: \"8443\"\n config.linkerd.io/default-inbound-policy: \"all-unauthenticated\"\n labels:\n linkerd.io/control-plane-component: proxy-injector\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n linkerd.io/workload-ns: {{.Release.Namespace}}\n {{- include \"partials.proxy.labels\" $tree.Values.proxy | nindent 8}}\n {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}\n spec:\n {{- with .Values.runtimeClassName }}\n runtimeClassName: {{ . | quote }}\n {{- end }}\n {{- if .Values.tolerations -}}\n {{- include \"linkerd.tolerations\" . | nindent 6 }}\n {{- end -}}\n {{- include \"linkerd.node-selector\" . | nindent 6 }}\n {{- $_ := set $tree \"component\" \"proxy-injector\" -}}\n {{- with include \"linkerd.affinity\" $tree }}\n {{- . | nindent 6 }}\n {{- end }}\n automountServiceAccountToken: false\n containers:\n {{- $_ := set $tree.Values.proxy \"await\" $tree.Values.proxy.await }}\n {{- $_ := set $tree.Values.proxy \"loadTrustBundleFromConfigMap\" true }}\n {{- $_ := set $tree.Values.proxy \"podInboundPorts\" \"8443,9995\" }}\n {{- /*\n The pod needs to accept webhook traffic, and we can't rely on that originating in the\n cluster network.\n */}}\n {{- $_ := set $tree.Values.proxy \"defaultInboundPolicy\" \"all-unauthenticated\" }}\n {{- $_ := set $tree.Values.proxy \"capabilities\" (dict \"drop\" (list \"ALL\")) }}\n {{- $_ := set $tree.Values.proxy \"outboundDiscoveryCacheUnusedTimeout\" \"5s\" }}\n {{- $_ := set $tree.Values.proxy \"inboundDiscoveryCacheUnusedTimeout\" \"90s\" }}\n {{- if not $tree.Values.proxy.nativeSidecar }}\n - {{- include \"partials.proxy\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{- end }}\n - args:\n - proxy-injector\n - -log-level={{.Values.controllerLogLevel}}\n - -log-format={{.Values.controllerLogFormat}}\n - -linkerd-namespace={{.Release.Namespace}}\n - -enable-pprof={{.Values.enablePprof | default false}}\n {{- if or (.Values.proxyInjector).additionalEnv (.Values.proxyInjector).experimentalEnv }}\n env:\n {{- with (.Values.proxyInjector).additionalEnv }}\n {{- toYaml . | nindent 8 -}}\n {{- end }}\n {{- with (.Values.proxyInjector).experimentalEnv }}\n {{- toYaml . | nindent 8 -}}\n {{- end }}\n {{- end }}\n image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}\n imagePullPolicy: {{.Values.imagePullPolicy}}\n livenessProbe:\n httpGet:\n path: /ping\n port: 9995\n initialDelaySeconds: 10\n {{- with (.Values.proxyInjector.livenessProbe).timeoutSeconds }}\n timeoutSeconds: {{ . }}\n {{- end }}\n name: proxy-injector\n ports:\n - containerPort: 8443\n name: proxy-injector\n - containerPort: 9995\n name: injector-admin\n readinessProbe:\n failureThreshold: 7\n httpGet:\n path: /ready\n port: 9995\n {{- with (.Values.proxyInjector.readinessProbe).timeoutSeconds }}\n timeoutSeconds: {{ . }}\n {{- end }}\n {{- if .Values.proxyInjectorResources -}}\n {{- include \"partials.resources\" .Values.proxyInjectorResources | nindent 8 }}\n {{- end }}\n securityContext:\n capabilities:\n drop:\n - ALL\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: {{.Values.controllerUID}}\n {{- if ge (int .Values.controllerGID) 0 }}\n runAsGroup: {{.Values.controllerGID}}\n {{- end }}\n allowPrivilegeEscalation: false\n seccompProfile:\n type: RuntimeDefault\n volumeMounts:\n - mountPath: /var/run/linkerd/config\n name: config\n - mountPath: /var/run/linkerd/identity/trust-roots\n name: trust-roots\n - mountPath: /var/run/linkerd/tls\n name: tls\n readOnly: true\n - mountPath: /var/run/secrets/kubernetes.io/serviceaccount\n name: kube-api-access\n readOnly: true\n initContainers:\n {{ if .Values.cniEnabled -}}\n - {{- include \"partials.network-validator\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ else -}}\n {{- /*\n The controller needs to connect to the Kubernetes API. There's no reason\n to put the proxy in the way of that.\n */}}\n {{- $_ := set $tree.Values.proxyInit \"ignoreOutboundPorts\" .Values.proxyInit.kubeAPIServerPorts -}}\n - {{- include \"partials.proxy-init\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n {{- if $tree.Values.proxy.nativeSidecar }}\n {{- $_ := set $tree.Values.proxy \"startupProbeInitialDelaySeconds\" 35 }}\n {{- $_ := set $tree.Values.proxy \"startupProbePeriodSeconds\" 5 }}\n {{- $_ := set $tree.Values.proxy \"startupProbeFailureThreshold\" 20 }}\n - {{- include \"partials.proxy\" $tree | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n {{- if .Values.priorityClassName -}}\n priorityClassName: {{ .Values.priorityClassName }}\n {{ end -}}\n securityContext:\n seccompProfile:\n type: RuntimeDefault\n serviceAccountName: linkerd-proxy-injector\n volumes:\n - configMap:\n name: linkerd-config\n name: config\n - configMap:\n name: linkerd-identity-trust-roots\n name: trust-roots\n - name: tls\n secret:\n secretName: linkerd-proxy-injector-k8s-tls\n - {{- include \"partials.volumes.manual-mount-service-account-token\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ if not .Values.cniEnabled -}}\n - {{- include \"partials.proxyInit.volumes.xtables\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n {{if .Values.identity.serviceAccountTokenProjection -}}\n - {{- include \"partials.proxy.volumes.service-account-token\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end -}}\n - {{- include \"partials.proxy.volumes.identity\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{if ((.Values.proxy.tracing).enabled) -}}\n - {{- include \"partials.proxy.volumes.podinfo\" . | indent 8 | trimPrefix (repeat 7 \" \") }}\n {{ end }}\n---\nkind: Service\napiVersion: v1\nmetadata:\n name: linkerd-proxy-injector\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: proxy-injector\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\n config.linkerd.io/opaque-ports: \"443\"\nspec:\n type: ClusterIP\n selector:\n linkerd.io/control-plane-component: proxy-injector\n ports:\n - name: proxy-injector\n port: 443\n targetPort: proxy-injector\n{{- if .Values.enablePodDisruptionBudget }}\n---\nkind: PodDisruptionBudget\napiVersion: policy/v1\nmetadata:\n name: linkerd-proxy-injector\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-component: proxy-injector\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\n annotations:\n {{ include \"partials.annotations.created-by\" . }}\nspec:\n maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}\n selector:\n matchLabels:\n linkerd.io/control-plane-component: proxy-injector\n{{- end }}\n" }, { "path": "charts/linkerd-control-plane/templates/psp.yaml", "content": "{{ if .Values.enablePSP -}}\n---\n###\n### Control Plane PSP\n###\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: linkerd-{{.Release.Namespace}}-control-plane\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: \"runtime/default\"\n labels:\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nspec:\n {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.runAsRoot }}\n allowPrivilegeEscalation: true\n {{- else }}\n allowPrivilegeEscalation: false\n {{- end }}\n readOnlyRootFilesystem: true\n {{- if empty .Values.cniEnabled }}\n allowedCapabilities:\n - NET_ADMIN\n - NET_RAW\n {{- end}}\n requiredDropCapabilities:\n - ALL\n hostNetwork: false\n hostIPC: false\n hostPID: false\n seLinux:\n rule: RunAsAny\n runAsUser:\n {{- if .Values.cniEnabled }}\n rule: MustRunAsNonRoot\n {{- else }}\n rule: RunAsAny\n {{- end }}\n runAsGroup:\n {{- if .Values.cniEnabled }}\n rule: MustRunAs\n ranges:\n - min: 1000\n max: 999999\n {{- else }}\n rule: RunAsAny\n {{- end }}\n supplementalGroups:\n rule: MustRunAs\n ranges:\n {{- if .Values.cniEnabled }}\n - min: 10001\n max: 65535\n {{- else }}\n - min: 1\n max: 65535\n {{- end }}\n fsGroup:\n rule: MustRunAs\n ranges:\n {{- if .Values.cniEnabled }}\n - min: 10001\n max: 65535\n {{- else }}\n - min: 1\n max: 65535\n {{- end }}\n volumes:\n - configMap\n - emptyDir\n - secret\n - projected\n - downwardAPI\n - persistentVolumeClaim\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: linkerd-psp\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nrules:\n- apiGroups: ['policy', 'extensions']\n resources: ['podsecuritypolicies']\n verbs: ['use']\n resourceNames:\n - linkerd-{{.Release.Namespace}}-control-plane\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: linkerd-psp\n namespace: {{ .Release.Namespace }}\n labels:\n linkerd.io/control-plane-ns: {{.Release.Namespace}}\n {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}\nroleRef:\n kind: Role\n name: linkerd-psp\n apiGroup: rbac.authorization.k8s.io\nsubjects:\n- kind: ServiceAccount\n name: linkerd-destination\n namespace: {{.Release.Namespace}}\n{{ if not .Values.disableHeartBeat -}}\n- kind: ServiceAccount\n name: linkerd-heartbeat\n namespace: {{.Release.Namespace}}\n{{ end -}}\n- kind: ServiceAccount\n name: linkerd-identity\n namespace: {{.Release.Namespace}}\n- kind: ServiceAccount\n name: linkerd-proxy-injector\n namespace: {{.Release.Namespace}}\n{{ end -}}\n" }, { "path": "charts/linkerd-control-plane/values-ha.yaml", "content": "# This values.yaml file contains the values needed to enable HA mode.\n# Usage:\n# helm install -f values-ha.yaml\n\n# -- Create PodDisruptionBudget resources for each control plane workload\nenablePodDisruptionBudget: true\n\ncontroller:\n # -- sets pod disruption budget parameter for all deployments\n podDisruptionBudget:\n # -- Maximum number of pods that can be unavailable during disruption\n maxUnavailable: 1\n\n# -- Specify a deployment strategy for each control plane workload\ndeploymentStrategy:\n rollingUpdate:\n maxUnavailable: 1\n maxSurge: 25%\n\n# -- add PodAntiAffinity to each control plane workload\nenablePodAntiAffinity: true\n\n# nodeAffinity:\n\n# proxy configuration\nproxy:\n resources:\n cpu:\n request: 100m\n memory:\n limit: 250Mi\n request: 20Mi\n\n# controller configuration\ncontrollerReplicas: 3\ncontrollerResources: &controller_resources\n cpu: &controller_resources_cpu\n limit: \"\"\n request: 100m\n memory:\n limit: 250Mi\n request: 50Mi\ndestinationResources: *controller_resources\n\n# identity configuration\nidentityResources:\n cpu: *controller_resources_cpu\n memory:\n limit: 250Mi\n request: 10Mi\n\n# heartbeat configuration\nheartbeatResources: *controller_resources\n\n# proxy injector configuration\nproxyInjectorResources: *controller_resources\nwebhookFailurePolicy: Fail\n\n# service profile validator configuration\nspValidatorResources: *controller_resources\n\n# flag for linkerd check\nhighAvailability: true\n" }, { "path": "charts/linkerd-control-plane/values.yaml", "content": "# Default values for linkerd.\n# This is a YAML-formatted file.\n# Declare variables to be passed into your templates.\n\n# -- Kubernetes DNS Domain name to use\nclusterDomain: cluster.local\n\n# -- The cluster networks for which service discovery is performed. This should\n# include the pod and service networks, but need not include the node network.\n#\n# By default, all IPv4 private networks and all accepted IPv6 ULAs are\n# specified so that resolution works in typical Kubernetes environments.\nclusterNetworks: \"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8\"\n# -- Docker image pull policy\nimagePullPolicy: IfNotPresent\n# -- Specifies the number of old ReplicaSets to retain to allow rollback.\nrevisionHistoryLimit: 10\n# -- Log level for the control plane components\ncontrollerLogLevel: info\n# -- Log format for the control plane components\ncontrollerLogFormat: plain\n# -- control plane version. See Proxy section for proxy version\nlinkerdVersion: linkerdVersionValue\n# -- default kubernetes deployment strategy\ndeploymentStrategy:\n rollingUpdate:\n maxUnavailable: 25%\n maxSurge: 25%\n# -- enables the use of EndpointSlice informers for the destination service;\n# enableEndpointSlices should be set to true only if EndpointSlice K8s feature\n# gate is on\nenableEndpointSlices: true\n# -- enables pod anti affinity creation on deployments for high availability\nenablePodAntiAffinity: false\n# -- enables the use of pprof endpoints on control plane component's admin\n# servers\nenablePprof: false\n# -- enables the creation of pod disruption budgets for control plane components\nenablePodDisruptionBudget: false\n# -- disables routing IPv6 traffic in addition to IPv4 traffic through the\n# proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni\n# v1.4.0)\ndisableIPv6: true\n\ncontroller:\n # -- sets pod disruption budget parameter for all deployments\n podDisruptionBudget:\n # -- Maximum number of pods that can be unavailable during disruption\n maxUnavailable: 1\n # Configures tracing in the controllers and how traces are exported\n tracing:\n # -- Enables trace collection and export in the proxy\n enabled: false\n collector:\n # -- The collector endpoint to send traces to. Required if tracing is\n # enabled. If this is unset and `proxy.tracing.collector.endpoint` is set,\n # that endpoint will be re-used here.\n endpoint: \"\"\n# -- enabling this omits the NET_ADMIN capability in the PSP\n# and the proxy-init container when injecting the proxy;\n# requires the linkerd-cni plugin to already be installed\ncniEnabled: false\n# -- Trust root certificate (ECDSA). It must be provided during install.\nidentityTrustAnchorsPEM: |\n# -- Trust domain used for identity\n# @default -- clusterDomain\nidentityTrustDomain: \"\"\nkubeAPI: &kubeapi\n # -- Maximum QPS sent to the kube-apiserver before throttling.\n # See [token bucket rate limiter\n # implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go)\n clientQPS: 100\n # -- Burst value over clientQPS\n clientBurst: 200\n# -- Additional annotations to add to all pods\npodAnnotations: {}\n# -- Additional labels to add to all pods\npodLabels: {}\n# -- Labels to apply to all resources\ncommonLabels: {}\n# -- Kubernetes priorityClassName for the Linkerd Pods\npriorityClassName: \"\"\n# -- Runtime Class Name for all the pods\nruntimeClassName: \"\"\n\n# policy controller configuration\npolicyController:\n # `image` has been removed.\n\n # -- Log level for the policy controller\n logLevel: info\n\n # -- The networks from which probes are performed.\n #\n # By default, all networks are allowed so that all probes are authorized.\n probeNetworks:\n - 0.0.0.0/0\n - \"::/0\"\n\n # -- policy controller resource requests & limits\n resources:\n cpu:\n # -- Maximum amount of CPU units that the policy controller can use\n limit: \"\"\n # -- Amount of CPU units that the policy controller requests\n request: \"\"\n memory:\n # -- Maximum amount of memory that the policy controller can use\n limit: \"\"\n # -- Maximum amount of memory that the policy controller requests\n request: \"\"\n ephemeral-storage:\n # -- Maximum amount of ephemeral storage that the policy controller can use\n limit: \"\"\n # -- Amount of ephemeral storage that the policy controller requests\n request: \"\"\n\n livenessProbe:\n timeoutSeconds: 1\n readinessProbe:\n timeoutSeconds: 1\n\n# proxy configuration\nproxy:\n # -- Enable service profiles for non-Kubernetes services\n enableExternalProfiles: false\n # -- Maximum time allowed for the proxy to establish an outbound TCP\n # connection\n outboundConnectTimeout: 1000ms\n # -- Maximum time allowed for the proxy to establish an inbound TCP\n # connection\n inboundConnectTimeout: 100ms\n # -- Maximum time allowed before an unused outbound discovery result\n # is evicted from the cache\n outboundDiscoveryCacheUnusedTimeout: \"5s\"\n # -- Maximum time allowed before an unused inbound discovery result\n # is evicted from the cache\n inboundDiscoveryCacheUnusedTimeout: \"90s\"\n # -- When set to true, disables the protocol detection timeout on the\n # outbound side of the proxy by setting it to a very high value\n disableOutboundProtocolDetectTimeout: false\n # -- When set to true, disables the protocol detection timeout on the inbound\n # side of the proxy by setting it to a very high value\n disableInboundProtocolDetectTimeout: false\n image:\n # -- Docker image for the proxy\n name: cr.l5d.io/linkerd/proxy\n # -- Pull policy for the proxy container image\n # @default -- imagePullPolicy\n pullPolicy: \"\"\n # -- Tag for the proxy container image\n # @default -- linkerdVersion\n version: \"\"\n # -- Enables the proxy's /shutdown admin endpoint\n enableShutdownEndpoint: false\n # -- Log level for the proxy\n logLevel: warn,linkerd=info,hickory=error\n # -- Log format (`plain` or `json`) for the proxy\n logFormat: plain\n # -- (`off` or `insecure`) If set to `off`, will prevent the proxy from\n # logging HTTP headers. If set to `insecure`, HTTP headers may be logged\n # verbatim. Note that setting this to `insecure` is not alone sufficient to\n # log HTTP headers; the proxy logLevel must also be set to debug.\n logHTTPHeaders: \"off\"\n ports:\n # -- Admin port for the proxy container\n admin: 4191\n # -- Control port for the proxy container\n control: 4190\n # -- Inbound port for the proxy container\n inbound: 4143\n # -- Outbound port for the proxy container\n outbound: 4140\n\n # -- Deprecated: use runtime.workers.minimum\n cores:\n\n runtime:\n # -- Worker threadpool configuration. The minimum will be automatically\n # derived from workload proxy CPU requests, when they are configured by\n # annotation. A cluster-level maximum may be configured here (and a\n # workload-level annotation is supported as well).\n workers:\n # -- Maximum number of worker threads that the proxy can use, by ratio of\n # the number of available CPUs. A value of 1.0 allocates a worker thread\n # for all available CPUs. A value of 0.1 allocates a worker thread for\n # 10% of the available CPUs.\n maximumCPURatio:\n\n # -- Configures a lower bound on the number of worker threads that the\n # proxy can use. When maximumCPURatio is not set, this value\n # is used.\n minimum: 1\n\n resources:\n # -- CPU configuration, when specified globally in Helm values, should be\n # kept in sync with the above runtime.workers.minimum configuration. The\n # minimum should reflect _at least_ the CPU request. When a limit is set,\n # the minimum should match the limit (and the maximumCPURatio should be\n # unset).\n cpu:\n # -- Maximum amount of CPU units that the proxy can use\n limit: \"\"\n # -- Amount of CPU units that the proxy requests\n request: \"\"\n\n memory:\n # -- Maximum amount of memory that the proxy can use\n limit: \"\"\n # -- Maximum amount of memory that the proxy requests\n request: \"\"\n\n ephemeral-storage:\n # -- Maximum amount of ephemeral storage that the proxy can use\n limit: \"\"\n # -- Amount of ephemeral storage that the proxy requests\n request: \"\"\n\n # -- User id under which the proxy runs\n uid: 2102\n # -- (int) Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0)\n gid: -1\n # -- Optional custom security context for the proxy container.\n securityContext: {}\n\n # -- If set the injected proxy sidecars in the data plane will stay alive for\n # at least the given period before receiving the SIGTERM signal from\n # Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`.\n # See [Lifecycle\n # hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks)\n # for more info on container lifecycle hooks.\n waitBeforeExitSeconds: 0\n # -- If set, the application container will not start until the proxy is\n # ready\n await: true\n requireIdentityOnInboundPorts: \"\"\n # -- Default set of opaque ports\n # - SMTP (25,587) server-first\n # - MYSQL (3306) server-first\n # - Galera (4444) server-first\n # - PostgreSQL (5432) server-first\n # - Redis (6379) server-first\n # - ElasticSearch (9300) server-first\n # - Memcached (11211) clients do not issue any preamble, which breaks detection\n opaquePorts: \"25,587,3306,4444,5432,6379,9300,11211\"\n # -- Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.\n shutdownGracePeriod: \"\"\n # -- The default allow policy to use when no `Server` selects a pod. One of: \"all-authenticated\",\n # \"all-unauthenticated\", \"cluster-authenticated\", \"cluster-unauthenticated\", \"deny\", \"audit\"\n # @default -- \"all-unauthenticated\"\n defaultInboundPolicy: \"all-unauthenticated\"\n # -- Configures the outbound transport mode. Valid values are \"transport-header\" and \"transparent\"\n outboundTransportMode: transport-header\n # -- Enable KEP-753 native sidecars\n # This is a beta feature. It requires Kubernetes >= 1.29.\n # If enabled, .proxy.waitBeforeExitSeconds should not be used.\n nativeSidecar: false\n # -- Native sidecar proxy startup probe parameters.\n # -- LivenessProbe timeout and delay configuration\n livenessProbe:\n initialDelaySeconds: 10\n timeoutSeconds: 1\n # -- ReadinessProbe timeout and delay configuration\n readinessProbe:\n initialDelaySeconds: 2\n timeoutSeconds: 1\n startupProbe:\n initialDelaySeconds: 0\n periodSeconds: 1\n failureThreshold: 120\n # Configures general properties of the proxy's control plane clients.\n control:\n # Configures limits on API response streams.\n streams:\n # -- The timeout for the first update from the control plane.\n initialTimeout: \"3s\"\n # -- The timeout between consecutive updates from the control plane.\n idleTimeout: \"5m\"\n # -- The maximum duration for a response stream (i.e. before it will be\n # reinitialized).\n lifetime: \"1h\"\n # Configures proxy metrics\n metrics:\n # -- Whether or not to export hostname labels in outbound request metrics.\n hostnameLabels: false\n # Configures tracing in the proxy and how they are exported\n tracing:\n # -- Enables trace collection and export in the proxy\n enabled: false\n traceServiceName: linkerd-proxy\n # -- Additional labels to add to the traces emitted by the proxy.\n # These should generally not be set globally, and instead overridden on\n # individual workloads via `resource.opentelemetry.io/