kumactl 2.8.0

[BrewTestBot]

Created by brew bump

---

Created with brew bump-formula-pr.

release notes

We are excited to announce the latest release !
Kuma 2.8.0 comes with a new resource MeshExternalService and policy MeshPassthrough.
Notable Changes
MeshPassthrough

A new policy allows limiting the current passthrough behavior to specific services and destinations. You can read more here

MeshExternalService

New resource that can replace current ExternalService and mitigate it's issues. Read more here

HostnameGenerator

New resource enabling custom hostnames for MeshExternalServices, with more functionalities coming in the future here

Upgrading
We strongly suggest upgrading to Kuma 2.8.0. Upgrading is straightforward through kumactl or Helm.
Be sure to carefully read the Upgrade Guide before upgrading Kuma.
Changelog

chore(build): add possibility to configure extra args for shellcheck #10331 @Automaat
chore(build): set envoy version conditionally #10538 @lukidzi
chore(deps): bump Kong/public-shared-actions from 2.2.0 to 2.2.3 #9995 #10126 #10197 @dependabot
chore(deps): bump actions/checkout from 4.1.2 to 4.1.7 #10036 #10123 #10195 #10263 #10521 @dependabot
chore(deps): bump actions/create-github-app-token from 1.9.3 to 1.10.1 #10175 #10372 @dependabot
chore(deps): bump actions/download-artifact from 4.1.4 to 4.1.7 #9993 #10122 @dependabot
chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 #10173 @dependabot
chore(deps): bump actions/upload-artifact from 4.3.1 to 4.3.3 #9994 #10035 #10127 @dependabot
chore(deps): bump cloudsmith-io/action from 0.6.6 to 0.6.9 #10324 #10427 #10523 @dependabot
chore(deps): bump debian from b37bc25 to a92ed51 #10120 #10264 #10520 @dependabot
chore(deps): bump distroless/base-nossl-debian11 from 4cba3ac to 1dcd82e #10183 @dependabot
chore(deps): bump envoy version from 1.29.3 to 1.30.2 #10453 @lukidzi
chore(deps): bump github.com/cilium/ebpf from 0.14.0 to 0.15.0 #10039 @dependabot
chore(deps): bump github.com/containernetworking/cni from 1.2.0 to 1.2.1 #10526 @dependabot
chore(deps): bump github.com/containernetworking/plugins from 1.4.1 to 1.5.0 #10282 @dependabot
chore(deps): bump github.com/emicklei/go-restful/v3 from 3.12.0 to 3.12.1 #10375 @dependabot
chore(deps): bump github.com/exaring/otelpgx from 0.5.4 to 0.6.1 #10528 @dependabot
chore(deps): bump github.com/go-logr/logr from 1.4.1 to 1.4.2 #10295 @dependabot
chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.17.0 to 4.17.1 #10038 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.46.13 to 0.46.15 #10118 #10297 @dependabot
chore(deps): bump github.com/jackc/pgx/v5 from 5.5.5 to 5.6.0 #10325 @dependabot
chore(deps): bump github.com/miekg/dns from 1.1.58 to 1.1.61 #9990 #10527 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.17.1 to 2.19.0 #10119 #10223 #10296 #10326 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.32.0 to 1.33.1 #9991 #10180 @dependabot
chore(deps): bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 #10226 @dependabot
chore(deps): bump github.com/prometheus/common from 0.52.3 to 0.54.0 #9989 #10374 @dependabot
chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 #10530 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.30.0 to 0.31.0 #10222 @dependabot
chore(deps): bump github/codeql-action from 3.25.0 to 3.25.10 #9996 #10128 #10227 #10286 #10373 #10396 #10522 @dependabot
chore(deps): bump go.opentelemetry.io/proto/otlp from 1.2.0 to 1.3.1 #10524 @dependabot
chore(deps): bump golang.org/x/net from 0.24.0 to 0.26.0 #10225 #10398 @dependabot
chore(deps): bump golang.org/x/sys from 0.19.0 to 0.20.0 #10181 @dependabot
chore(deps): bump golang.org/x/text from 0.14.0 to 0.15.0 #10176 @dependabot
chore(deps): bump golangci/golangci-lint-action from 4.0.0 to 6.0.1 #10129 #10174 #10196 @dependabot
chore(deps): bump google.golang.org/grpc from 1.63.2 to 1.64.0 #10266 @dependabot
chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.2 #10177 #10525 @dependabot
chore(deps): bump kumahq/ubuntu-netools from 9eba4ba to 8675216 #10131 #10182 #10285 @dependabot
chore(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 #10228 @dependabot
chore(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.5 #9997 #10125 @dependabot
chore(deps): bump postgres from 5c58707 to 46aa2ee #10041 #10132 #10221 #10284 #10514 @dependabot
chore(deps): bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0 #10124 @dependabot
chore(deps): bump the go-opentelemetry-io group with 9 updates #10115 #10294 @dependabot
chore(deps): bump ubuntu from jammy-20240227 to jammy-20240530 #9987 #10121 #10184 #10413 @dependabot
chore(deps): ignore go-control-plane updates by dependabot #10412 @bartsmykla
chore(deps): update CNI to v1.2.0 #10101 @Icarus9913
chore(deps): upgrade go to 1.21.11 #10401 @lukidzi
chore(deps): use latest kumahq/kuma-gui #9978 #9980 #9985 #9998 #10001 #10009 #10010 #10043 #10044 #10052 #10053 #10060 #10061 #10062 #10064 #10092 #10093 #10105 #10108 #10111 #10112 #10135 #10136 #10143 #10187 #10188 #10190 #10198 #10199 #10201 #10210 #10213 #10231 #10232 #10240 #10242 #10249 #10262 #10269 #10281 #10283 #10289 #10292 #10302 #10305 #10307 #10310 #10311 #10423 #10424 #10425 #10429 #10431 #10432 #10450 #10456 #10465 #10473 #10479 #10493 #10505 #10536 #10556 #10596 #10603 @kumahq
feat(Mesh*Service): validate name length #10544 @michaelbeaumont
feat(MeshExternalService): implement a new resource #10239 #10293 #10306 #10336 #10444 #10445 #10568 #10570 #10578 #10594 @lukidzi,@slonka
feat(MeshRetry): allow setting numRetries to 0 to disable retries #10250 @lahabana
feat(MeshService): add events when generating from Kubernetes Service #10290 @michaelbeaumont
feat(MeshService): add port names #10287 @michaelbeaumont
feat(MeshService): handle headless Services #10308 @michaelbeaumont
feat(MeshService): set kuma.io/managed-by for converted MeshServices #10481 @michaelbeaumont
feat(MeshService): support mTLS #10403 @michaelbeaumont
feat(MeshService): tag with headlessness, add pod-name/pod-index labels #10472 @michaelbeaumont
feat(MeshService): use hostnames for DNS #10387 @michaelbeaumont
feat(api-server): update policies api response structure #10428 @Icarus9913
feat(hostnamegenerator): add display name to HostnameGenerator #10476 @slonka
feat(hostnamegenerator): add zone and namespace variables #10533 @jakubdyszkiewicz
feat(hostnamegenerator): apply templates to MeshServices #10362 @michaelbeaumont
feat(hostnamegenerator): implement MeshExternalService support #10379 @lukidzi
feat(hostnamegenerator): prevent template being empty #10548 @slonka
feat(k8s): add kubernetes.io/hostname to default node labels to copy #10243 @slonka
feat(k8s): opt-in to support tls for GAPI in all namespaces #10015 @jakubdyszkiewicz
feat(kds): add a flag to avoid creating a zone on connection on kds #10298 @lahabana
feat(kds): create first, then remove synced resources #10562 @Automaat
feat(kds): sync mesh service status #10337 @jakubdyszkiewicz
feat(kuma-cni): add readOnlyRootFilesystem into securityContext of the container kuma-validation #10394 @jijiechen
feat(kuma-cp): add error type to nack metric #10013 @slonka
feat(kuma-cp): add policy matching api for meshservice #10378 @Automaat
feat(kuma-cp): always add kuma.io/zone label to resource #10457 @Automaat
feat(kuma-cp): consumer policies on app's namespace #10361 @lobkovilya
feat(kuma-dp): add function to find default CA #10367 @lukidzi
feat(meshexternalservice): add IP allocator for meshexternalservice #10376 @lukidzi
feat(meshpassthrough): create API and validators #10314 @lukidzi
feat(meshpassthrough): implement new policy #10363 #10458 #10466 #10532 #10576 #10595 @lukidzi
feat(meshservice): cross-zone connectivity #10411 @jakubdyszkiewicz
feat(meshservice): ipam #10320 @jakubdyszkiewicz
feat(meshservice): prefer MeshService over kuma.io/service routing #10564 @jakubdyszkiewicz
feat(meshservice): rename protocol to appprotocol #10539 @jakubdyszkiewicz
feat(meshservice): sync identity cross zones #10451 @jakubdyszkiewicz
feat(meshservice): sync mesh service to other zones #10380 @jakubdyszkiewicz
feat(report): add more info in the report #10270 @lahabana
feat(store): update does not wipe out labels #10335 @jakubdyszkiewicz
fix(GatewayAPI): only enqueue Gateway reconciliations from routes if parent is a Gateway #10316 @spacewander
fix(HostnameGenerator): don't exit component on error #10392 @michaelbeaumont
fix(Mesh*Service): rename HostnameGenerator ref name to coreName #10597 @michaelbeaumont
fix(MeshHttpRoute): don't split header value prematurely #10191 @spacewander
fix(MeshRoute): properly map listener TLS certs to DownstreamTlsContext #10272 @michaelbeaumont
fix(ZoneIngress): fix no pointer panic for advertised address resolving #10475 @Icarus9913
fix(api-server): check for tenant just before logging #10377 @michaelbeaumont
fix(api-server): fix trace/span ID processing in logs #10100 @bartsmykla
fix(gateway): handle implicit kuma.io/service in pod annotation #10076 @jakubdyszkiewicz
fix(gateway): run validating webhook on MeshGatewayInstance #10330 @Icarus9913
fix(gateway): support inlineString in TLS certificates #10159 @michaelbeaumont
fix(gatewayapi): reconcile HTTPRoutes when relevant Services change #10192 @michaelbeaumont
fix(gatewayapi): validate presence of all required Gateway API resources #10079 @bartsmykla
fix(helm): don't fail when webhook doesn't exist #10098 @lahabana
fix(helm): include GatewayClass only if installing a zone CP in Kubernetes mode #10012 @michaelbeaumont
fix(jobs): jobs termination after CP restart #10085 @jakubdyszkiewicz
fix(k8s): don't error if a service doesn't expose any ports we can handle #9982 @michaelbeaumont
fix(k8s): take mesh from label of the namespace #10580 @jakubdyszkiewicz
fix(k8s): use EndpointSlices to determine identity for Service without selectors #10134 @michaelbeaumont
fix(k8s): virtual probes for sidecar initContainer ports also exposed by a Service #9971 @michaelbeaumont
fix(kds): change version label for kds_clint_versions metric #10323 @Automaat
fix(kds): clone resource on update meta #10460 @jakubdyszkiewicz
fix(kds): fix resource name hashing on global #10452 @Automaat
fix(kds): fix the case when webhook/db reject resource #10315 @lukidzi
fix(kds): fix updating metric of kds client version #10312 @Automaat
fix(kds): make error handling similar between GlobalToZoneSync and ZoneToGlobalSync #10056 @michaelbeaumont
fix(kds): send NACK only when resource is invalid and do not retry #10480 @lukidzi
fix(kuma-cp): allow MES / HG to only be created in SystemNamespace #10577 @lobkovilya
fix(kuma-cp): cleanup generated egress certs #10162 @michaelbeaumont
fix(kuma-cp): consistently check for expiring ZoneIngress/ZoneEgress certs #10160 @michaelbeaumont
fix(kuma-cp): consistently update ZoneIngress available services #10426 @michaelbeaumont
fix(kuma-cp): filter out old dangling zone resources in global (backport of #10245) #10268 @michaelbeaumont
fix(kuma-cp): index generated certs by proxy type #10161 @michaelbeaumont
fix(kuma-cp): mistakenly setting 'kuma.io/display-name' as label #10430 @lobkovilya
fix(kuma-cp): panic on mesh delete #10604 @jakubdyszkiewicz
fix(kuma-cp): validate the bandwidth strictly #10371 @spacewander
fix(kuma-dp): set systemCaPath when requesting config from kuma-cp #10443 @lukidzi
fix(kumactl): fix bad escape on regex #10420 @lahabana
fix(meshservice): tags and selector #10535 @jakubdyszkiewicz
fix(transparent-proxy): stop logging all to stderr when installing tproxy #10045 @bartsmykla
fix(validation): don't prefix validation errors with spec. for core plugin resources #10543 @michaelbeaumont

[github-actions]

🤖 An automated task has requested bottles to be published to this PR.