Add release notes for stable-2.5.0

Relates to:
- linkerd/website#470
- linkerd/website#475

Signed-off-by: Andrew Seigner <siggy@buoyant.io>

CHANGES.md

@@ -1,3 +1,127 @@
+## stable-2.5.0
+
+This release adds Helm support, Tap authentication and authorization via RBAC,
+traffic split stats, dynamic logging levels, a new cluster monitoring dashboard,
+and countless performance enhancements and bug fixes.
+
+For more details, see the announcement blog post:
+https://linkerd.io/2019/08/19/announcing-linkerd-2.5/
+
+To install this release, run: `curl https://run.linkerd.io/install | sh`
+
+**Upgrade notes**: Use the `linkerd upgrade` command to upgrade the control
+plane. This command ensures that all existing control plane's configuration and
+mTLS secrets are retained. For more details, please see the [upgrade
+instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-5-0)
+for more details.
+
+**Special thanks to**: @alenkacz, @codeman9, @ethan-daocloud, @jonathanbeber,
+@Pothulapati
+
+**Full release notes**:
+
+* CLI
+  * **New** Updated `linkerd tap`, `linkerd top` and `linkerd profile --tap` to
+    require `tap.linkerd.io` RBAC privileges, see https://linkerd.io/tap-rbac
+    for more info
+  * **New** Added traffic split metrics via `linkerd stat trafficsplits`
+    subcommand
+  * Made the `linkerd routes` command traffic-split aware
+  * Introduced the `linkerd --as` flag which allows users to impersonate another
+    user for Kubernetes operations
+  * Added the `--all-namespaces` (`-A`) option to the `linkerd get`,
+    `linkerd edges` and `linkerd stat` commands to retrieve resources across
+    all namespaces
+  * Improved the installation report produced by the `linkerd check` command
+    to include the control plane pods' live status
+  * Fixed bug the `linkerd upgrade config` command that was causing it to crash
+  * Introduced `--use-wait-flag` to the `linkerd install-cni` command, to
+    configure the CNI plugin to use the `-w` flag for `iptables` commands
+  * Introduced `--restrict-dashboard-privileges` flag to `linkerd install`
+    command, to restrict the dashboard's default privileges to disallow tap
+  * Fixed `linkerd uninject` not removing `linkerd.io/inject: enabled`
+    annotations
+  * Fixed `linkerd stat -h` example commands (thanks @ethan-daocloud!)
+  * Fixed incorrect "meshed" count in `linkerd stat` when resources share the
+    same label selector for pods (thanks @jonathanbeber!)
+  * Added pod status to the output of the `linkerd stat`command (thanks
+    @jonathanbeber!)
+  * Added namespace information to the `linkerd edges` command output and a new
+    `-o wide` flag that shows the identity of the client and server if known
+  * Added a check to the `linkerd check` command to validate the user has
+    privileges necessary to create CronJobs
+  * Added a new check to the `linkerd check --pre` command validating that if
+    PSP is enabled, the NET_RAW capability is available
+* Controller
+  * **New** Disabled all unauthenticated Tap endpoints. Tap requests now require
+    RBAC authentication and authorization, see https://linkerd.io/tap-rbac for
+    more info
+  * The `l5d-require-id` header is now set on tap requests so that a connection
+    is established over TLS
+  * Introduced the `APIService/v1alpha1.tap.linkerd.io` global resource
+  * Introduced the `ClusterRoleBinding/linkerd-linkerd-tap-auth-delegator`
+    global resource
+  * Introduced the `Secret/linkerd-tap-tls` resource into the `linkerd`
+    namespace
+  * Introduced the `RoleBinding/linkerd-linkerd-tap-auth-reader` resource into
+    the `kube-system` namespace
+  * Added support for namespace-level proxy override annotations
+  * Added HTTP security headers on all dashboard responses
+  * Added resource limits when HA is enabled
+  * Added pod anti-affinity rules to the control plane pods when HA is enabled
+    (thanks @Pothulapati!)
+  * Added RSA support to TLS libraries
+  * Introduced a new ClusterRole, `linkerd-linkerd-tap-admin`, which gives
+    cluster-wide tap privileges. Also introduced a new ClusterRoleBinding,
+    `linkerd-linkerd-web-admin`, which binds the `linkerd-web` service account
+    to the new tap ClusterRole
+  * Fixed nil pointer dereference in the destination service when an endpoint
+    does not have a `TargetRef`
+  * Updated the destination service to return `InvalidArgument` for external
+    name services so that the proxy does not immediately fail the request
+  * Fixed an issue with discovering StatefulSet pods via their unique hostname
+  * Fixed an issue with traffic split where outbound proxy stats are missing
+  * Upgraded the service profile CRD to v1alpha2 where the openAPIV3Schema
+    validation is replaced by a validating admission webhook. No changes
+    required for users currently using v1alpha1
+  * Updated the control plane's pod security policy to restrict workloads from
+    running as `root` in the CNI mode (thanks @codeman9!)
+  * Introduced cluster heartbeat cron job
+  * Removed successfully completed `linkerd-heartbeat` jobs from pod listing in
+    the linkerd control plane to streamline `get po` output (thanks
+    @Pothulapati!)
+  * Bumped Prometheus to 2.11.1
+  * Bumped Grafana to 6.2.5
+* Proxy
+  * **New** Added a new `/proxy-log-level` endpoint to update the log level at
+    runtime
+  * **New** Updated the tap server to only admit requests from the control
+    plane's tap controller
+  * Introduced the `l5d-require-id` header to enforce TLS outbound
+    communication from the Tap server
+  * Added the `LINKERD2_PROXY_TAP_SVC_NAME` environment variable so that the tap
+    server attempts to authorize client identities
+  * Improved performance by using a constant-time load balancer
+  * Added `request_handle_us` histogram to measure proxy overhead
+  * Fixed gRPC client cancellations getting recorded as failures rather than
+    as successful
+  * Fixed a bug where tap would stop streaming after a short amount of time
+  * Fixed a bug that could cause the proxy to leak service discovery resolutions
+    to the Destination controller
+* Web UI
+  * **New** Added "Kubernetes cluster monitoring" Grafana dashboard with cluster
+    and containers metrics
+  * Updated the web server to use the new tap APIService. If the `linkerd-web`
+    service account is not authorized to tap resources, users will see a link to
+    documentation to remedy the error
+* Internal
+  * **New** Updated `linkerd install` and `linkerd upgrade` to use Helm charts
+    for templating
+  * Pinned Helm tooling to `v2.14.3`
+  * Added Helm integration tests
+  * Removed unused inject code (thanks @alenkacz!)
+  * Replaced `dep` with Go modules for dependency management
+
 ## edge-19.8.5
 
 This edge release is a release candidate for `stable-2.5`.
@@ -203,10 +327,11 @@ To install this release, run: `curl https://run.linkerd.io/install | sh`
 **Upgrade notes**: Use the `linkerd upgrade` command to upgrade the control
 plane. This command ensures that all existing control plane's configuration and
 mTLS secrets are retained. For more details, please see the [upgrade
-instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-4-0) for more details.
+instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2-4-0)
+for more details.
 
-**Special thanks to**: @alenkacz, @codeman9, @dwj300, @jackprice, @liquidslr
-@matej-g, @Pothulapati, @zaharidichev,
+**Special thanks to**: @alenkacz, @codeman9, @dwj300, @jackprice, @liquidslr,
+@matej-g, @Pothulapati, @zaharidichev
 
 **Full release notes**:
 

charts/linkerd2/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: "v1"
-appVersion: edge-19.8.5
+appVersion: stable-2.5.0
 description: Linkerd gives you observability, reliability, and security for your microservices — with no code change required.
 home: https://linkerd.io
 keywords:

charts/linkerd2/values.yaml

@@ -7,7 +7,7 @@ EnableH2Upgrade: true
 ImagePullPolicy: &image_pull_policy IfNotPresent
 
 # control plane version. See Proxy section for proxy version
-LinkerdVersion: &linkerd_version edge-19.8.5
+LinkerdVersion: &linkerd_version stable-2.5.0
 
 Namespace: linkerd
 OmitWebhookSideEffects: false