1.11.5: Update release notes (#7144)

* 1.11.5: Update release notes Signed-off-by: joshvanl <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> * Update docs/release_notes/v1.11.5.md Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> --------- Signed-off-by: joshvanl <me@joshvanl.dev> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev> Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
dapr · Nov 3, 2023 · ef38f30 · ef38f30
1 parent ee992ae
commit ef38f30
Showing 1 changed file with 88 additions and 1 deletion.
diff --git a/docs/release_notes/v1.11.5.md b/docs/release_notes/v1.11.5.md
@@ -1,6 +1,38 @@
 # Dapr 1.11.5
 
-This patch release includes a fix in gRPC-to-gRPC service invocation when the `ServiceInvocationStreaming` feature is enabled. Users who rely on gRPC-to-gRPC service invocation (legacy, non proxy-based) are encouraged to upgrade to Dapr 1.11.5 before upgrading existing deployments to 1.12.x, to prevent temporary issues during a rollout of Dapr 1.12.x.
+**Important:** Users who rely on gRPC-to-gRPC service invocation (legacy, non proxy-based) are encouraged to upgrade to Dapr 1.11.5 before upgrading existing deployments to 1.12.x, to prevent temporary issues during a rollout of Dapr 1.12.x.
+
+This update contains the following security fixes:
+
+- Security: prevent Sentry and Injector from applying the `daprsystem` Configuration from a non control plane namespace.
+
+Additionally, this patch release contains bug fixes:
+
+- Fixed gRPC-to-gRPC service invocation when the `ServiceInvocationStreaming` feature is enabled.
+- Fixed invoke remote stream from closing stream before EOF
+- Fixed failures downgrading from 1.12.x to 1.11.x
+- Fixed returning of HTTP status code in HTTP service invocation with resiliency enabled
+
+## Security: Sentry and Injector only apply `daprsystem` Configuration from the control plane namespace
+
+### Problem
+
+Sentry and Injector will apply the `daprsystem` configuration from a non-control plane namespace if the namespace name is alphabetically higher than the control plane namespace name.
+
+### Impact
+
+Accidentally or maliciously, a Kubernetes user can write a Configuration in a non-control plane namespace that will be applied by Sentry and Injector.
+This can re-write the Sentry CA, disable mTLS, or otherwise bring down the entire Dapr cluster.
+
+### Root cause
+
+Sentry and Injector currently list Configurations, before matching on the list for the `daprsystem` Configuration, without filtering for namespaces.
+
+### Solution
+
+Update Sentry and Injector to only get the `daprsystem` Configuration from the namespace where the Dapr control plane is installed, instead of listing all Configurations.
+
+## Fixed gRPC-to-gRPC service invocation when the `ServiceInvocationStreaming` feature is enabled.
 
 ### Problem
 
@@ -19,3 +51,58 @@ An issue was detected in the internal implementation of service invocation when
 ### Solution
 
 We fixed the issue in Dapr 1.12.0 and 1.11.5.
+
+## Fixed invoke remote stream from closing stream before EOF
+
+### Problem
+
+When performing service invocation using resiliency, the service invocation can end with an EOF error rather than successfully returning the result.
+
+### Impact
+
+When `ServiceInvocationStreaming` is enabled, service invocation is unusable when using resiliency.
+
+### Root cause
+
+A bug in the code meant that the gRPC stream was closed before the EOF was sent to the client.
+
+### Solution
+
+Fix the code so that the EOF is sent before the stream is closed.
+
+## Fixed failures downgrading from 1.12.x to 1.11.x
+
+### Problem
+
+When downgrading from 1.12.x to 1.11.x, the Dapr sidecar injector will fail to inject the sidecar into pods, failing with validating certificates against the Certification Authority.
+
+### Impact
+
+Users who downgrade the Dapr installation from 1.12.x to 1.11.x will result in their Dapr cluster being in broken state.
+
+### Root cause
+
+1.12 made a change that the Injector's serving certificate is now signed by the Dapr CA (Certification Authority), rather than a separate CA managed through Helm.
+The 1.11 Helm chart will always use an existing CA in the Webhook Configuration if it exists, meaning the serving certificate and CA will mismatch on a downgrade.
+
+### Solution
+
+The 1.11 Helm chart will correctly update the webhook Configuration to use the Dapr CA when downgrading from 1.12 to 1.11.
+
+## Fixed returning of HTTP status code in HTTP service invocation with resiliency enabled
+
+### Problem
+
+With Resiliency enabled, in case of HTTP service invocation, if one application sends error status codes (HTTP codes <200 or >=400), Dapr returns a response with a generic 500 error, instead of the actual response error code.
+
+### Impact
+
+Applications will receive the wrong status code in case of HTTP service invocation returning a failure error code with Resiliency enabled.
+
+### Root cause
+
+A bug was discovered in how errors were handled when Resiliency was enabled, causing all errors from the application to be "swallowed" by Dapr.
+
+### Solution
+
+Resiliency code now returns the correct status code to the application.