2.13.3 Candidate PR #10857
Merged
2.13.3 Candidate PR #10857
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hawkw
reviewed
May 4, 2023
alpeb
reviewed
May 5, 2023
There was a problem hiding this comment.
Fair winds and following seas captain! ⛵
It looks like you cherry-picked all of the commits that had already gone into 2.13.2. But no biggie, the end result is no-op.
Besides Eliza's comments, the missing readme updates and my comment below, it all looks good to me. I was a bit more conservative in 2.13.2, leaving some minor things for 2.14, but I think it's better to get everything in like you did here, that has already gone into an edge and is not explicitly flagged as a 2.14 feature (of which we have none yet) 👍
Now we use label to filter all resources to uninstall, but `httproutes.policy.linkerd.io` does not have label, so every uninstall would not remove it. Signed-off-by: Loong <loong.dai@intel.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
This proxy release changes the proxy to handle `Opaque` protocol hints on endpoints when sent by the Destination service. In addition, it updates the dependency on `h2` to fix a potential crash in the HTTP/2 implementation. --- * build(deps): bump `h2` to v0.3.18 (linkerd/linkerd2-proxy#2394) * outbound: handle `Opaque` protocol hints on endpoints (linkerd/linkerd2-proxy#2237) * build(deps): bump cmake from 0.1.49 to 0.1.50 (linkerd/linkerd2-proxy#2365) Signed-off-by: Eric Anderson <eric@buoyant.io>
* Bump prometheus image to v2.43.0 Closes #10752 Manually tested Viz and dashboard successfully Signed-off-by: Eric Anderson <eric@buoyant.io>
We have a number of tests in the `test/integration/install` directory which exercise basic functionality such as injecting pods and sending traffic. These test are not currently run at all. We update a number of tests which were previously just installing Linkerd to also run these basic tests. Signed-off-by: Matei David <matei@buoyant.io> Signed-off-by: Alex Leong <alex@buoyant.io> Co-authored-by: Matei David <matei@buoyant.io> Signed-off-by: Eric Anderson <eric@buoyant.io>
* add `trust_dns=error` to default proxy log level Since upstream has yet to release a version with PR bluejekyll/trust-dns#1881, this commit changes the proxy's default log level to silence warnings from `trust_dns_proto` that are generally spurious. Closes #10123. Signed-off-by: Eric Anderson <eric@buoyant.io>
This updates the policy controller's dependency on `h2` to v0.3.18, which includes a patch for [RUSTSEC-2023-0034]/GHSA-f8vr-r385-rh5r/CVE-2023-26964. [RUSTSEC-2023-0034]: https://rustsec.org/advisories/RUSTSEC-2023-0034 Signed-off-by: Eric Anderson <eric@buoyant.io>
This link points to the wrong URL and currently 404s. This commit points it at the correct URL. Fixes #10734 Signed-off-by: Eric Anderson <eric@buoyant.io>
## stable-2.13.2 This stable release fixes an incompatibility issue with the AWS CNI addon in EKS that was forbidding pods to acquire networking after scaling up nodes (thanks @frimik!). It also includes security updates for dependencies. * CNI * Fixed incompatibility issue with AWS CNI addon in EKS, that was forbidding pods to acquire networking after scaling up nodes. (thanks @frimik!) * CLI * Fixed `linkerd uninstall` issue for HttpRoute * Proxy * Updated the dependency on h2 to fix a potential crash in the HTTP/2 implementation. * Changed the proxy's default log level to silence warnings from `trust_dns_proto` that are generally spurious * Extensions * Bumped Prometheus image to v2.43.0 * Fixed Jaeger chart installation failure Signed-off-by: Eric Anderson <eric@buoyant.io>
The outbound proxy handles endpoints with the `opaque_transport` flag by opening a direct connection to the inbound proxy's inbound listener port, and sending a ProtoBuf `TransportHeader` including the target port of the originating outbound connection and an (optional) `SessionProtocol` describing the protocol used on that connection. Currently, outbound proxies initiating direct connections will *always* send `SessionProtocol` values communicating the protocol as understood by the outbound proxy. However, this is not always the desired behavior. Direct connections with `TransportHeader`s are used in two cases: for gateway connections, and for ports which are marked as opaque. When the inbound port is marked as opaque, the presence of a `SessionProtocol` tells the inbound proxy to handle that connection as the indicated protocol, which results in incorrect behavior when the inbound proxy's ServerPolicy configures the target port as opaque (see #9888). Therefore, the `Destination` proxy API has been updated to add a new `ProtocolHint`, `Opaque`, which indicates that an outbound proxy should _not_ send a `SessionProtocol` when initiating a direct connection, even if the outbound proxy handled the connection as HTTP. This hint was added to the proxy API in linkerd/linkerd2-proxy-api#197, and released in `linkerd2-proxy-api` v0.8.0. This branch updates the Destination controller's dependency on `linkerd2-proxy-api` to v0.8.0, and changes the controller to send an `Opaque` protocol hint when the target port is marked as opaque on the destination pod. This should override the `H2` protocol hint that is added when the destination is meshed. I've also added a new test for this behavior. Fixes #9888 (along with linkerd/linkerd2-proxy#2209, which changes the proxy to actually handle the `Opaque` protocol hint). Signed-off-by: Eric Anderson <eric@buoyant.io>
Now we use label to filter all resources to uninstall, but `httproutes.policy.linkerd.io` does not have label, so every uninstall would not remove it. Signed-off-by: Loong <loong.dai@intel.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
The namespace metadata service was not using the default registry, which was causing inconsistency with the rest of the services in the project. Updated the namespace metadata service to use the default registry, making it consistent with the other services. Tested the namespace metadata service locally and verified that it is now using the default registry. Confirmed that the changes did not introduce any regressions or conflicts with other charts. Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
This proxy release changes the proxy to handle `Opaque` protocol hints on endpoints when sent by the Destination service. In addition, it updates the dependency on `h2` to fix a potential crash in the HTTP/2 implementation. --- * build(deps): bump `h2` to v0.3.18 (linkerd/linkerd2-proxy#2394) * outbound: handle `Opaque` protocol hints on endpoints (linkerd/linkerd2-proxy#2237) * build(deps): bump cmake from 0.1.49 to 0.1.50 (linkerd/linkerd2-proxy#2365) Signed-off-by: Eric Anderson <eric@buoyant.io>
Bumps [cpufeatures](https://github.com/RustCrypto/utils) from 0.2.5 to 0.2.6. - [Release notes](https://github.com/RustCrypto/utils/releases) - [Commits](RustCrypto/utils@cpufeatures-v0.2.5...cpufeatures-v0.2.6) --- updated-dependencies: - dependency-name: cpufeatures dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
The linkerd-multicluster-link chart provides no option to add additional user defined pod annotations. This change brings the linkerd-multicluster-link chart in line with other charts that expose the podAnnotation option in the helm values.yaml. Fixes #10674 Signed-off-by: Andrew Bentley <andrew.bentley@gropyus.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.8.0 to 0.9.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](golang/net@v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
* Bump prometheus image to v2.43.0 Closes #10752 Manually tested Viz and dashboard successfully Signed-off-by: Eric Anderson <eric@buoyant.io>
* Explicitly use bash when using pipes in CI workflows As detailed in the [docs](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell), not expliciting the `shell` field results in using `bash -e`, whereas expliciting it results in `bash --noprofile --norc -eo pipefail`. We'd like to have the pipefail option set whenever pipes are used. This avoids for example an issue we had recently in the release workflow where the k3d install script download was silently failing. Also fixed `retry` flag for `bin/scurl` in the js workflow. Signed-off-by: Eric Anderson <eric@buoyant.io>
The Helm docs action in CI (which changes for discrepancies in Helm chart readmes) only checks the core Linkerd Helm charts, while allowing discrepancies in extension chart readmes. Update the action to enforce Helm doc consistency in extension charts as well. Signed-off-by: Alex Leong <alex@buoyant.io> Signed-off-by: Eric Anderson <eric@buoyant.io>
We have a number of tests in the `test/integration/install` directory which exercise basic functionality such as injecting pods and sending traffic. These test are not currently run at all. We update a number of tests which were previously just installing Linkerd to also run these basic tests. Signed-off-by: Matei David <matei@buoyant.io> Signed-off-by: Alex Leong <alex@buoyant.io> Co-authored-by: Matei David <matei@buoyant.io> Signed-off-by: Eric Anderson <eric@buoyant.io>
…10718) Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.21.3 to 7.21.4. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.21.4/packages/babel-core) --- updated-dependencies: - dependency-name: "@babel/core" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
Bumps [eslint](https://github.com/eslint/eslint) from 8.36.0 to 8.38.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v8.36.0...v8.38.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.1 to 3.1.2. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@d9f34f8...40a12dc) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 20.10.21+incompatible to 20.10.24+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v20.10.21...v20.10.24) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.7.0 to 0.8.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
…#10742) Bumps [EmbarkStudios/cargo-deny-action](https://github.com/EmbarkStudios/cargo-deny-action) from 1.5.0 to 1.5.2. - [Release notes](https://github.com/EmbarkStudios/cargo-deny-action/releases) - [Commits](EmbarkStudios/cargo-deny-action@8af37f5...e0a4407) --- updated-dependencies: - dependency-name: EmbarkStudios/cargo-deny-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
#10786) Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.26.3 to 0.27.1. - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](kubernetes/apiextensions-apiserver@v0.26.3...v0.27.1) --- updated-dependencies: - dependency-name: k8s.io/apiextensions-apiserver dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Eric Anderson <eric@buoyant.io>
This proxy release fixes an issue where outbound proxies would attempt protocol detection on ports that are marked as opaque. It also adds support for ranges (such as `10-20`) in the `LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION` and `LINKERD2_PROXY_INBOUND_PORTS` environment variables. Finally, it changes the proxy to synthesize default client policies when the policy controller returns an `Unimplemented` gRPC status code, allowing 2.13 proxies to coexist with 2.12 control planes in downgrade scenarios. --- * outbound: determine protocol based on `OutboundPolicy` (linkerd/linkerd2-proxy#2397) * set default `trust_dns` log level to `ERROR` (linkerd/linkerd2-proxy#2393) * outbound: test load balancer behavior with failure accrual (linkerd/linkerd2-proxy#2375) * outbound: add missing `meta` field in test policy (linkerd/linkerd2-proxy#2400) * inbound: determine default policies using the opaque ports env var (linkerd/linkerd2-proxy#2395) * outbound: synthesize client policies on `Unimplemented` (linkerd/linkerd2-proxy#2396) * build(deps): bump io-lifetimes from 1.0.4 to 1.0.10 (linkerd/linkerd2-proxy#2379) * chore: allow `syn` v1 and v2 to coexist peacefully (linkerd/linkerd2-proxy#2401) * build(deps): bump futures from 0.3.26 to 0.3.28 (linkerd/linkerd2-proxy#2370) * build(deps): bump async-trait from 0.1.66 to 0.1.68 (linkerd/linkerd2-proxy#2368) Signed-off-by: Eliza Weisman <eliza@buoyant.io> Signed-off-by: Eric Anderson <eric@buoyant.io>
Fixes #10764 `GetProfile` streams create a `server_port_subscribers` gauge that tracks the number of listeners interested in a given Server. Because of an oversight, the gauge was only being registered until the second listener was added. For just one listener the gauge was absent. But whenever the `GetProfile` stream ended, the gauge was deleted which resulted in this error if it wasn't registered to begin with: ``` level=warning msg="unable to delete server_port_subscribers metric with labels map[name:voting namespace:emojivoto port:4191]" addr=":8086" component=server ``` One can check that the gauge wasn't being created by installing viz and emojivoto, and checking the following returns empty: ```bash $ linkerd diagnostics controller-metrics | grep server_port_subscribers ``` After this fix, one can see the metric getting populated: ```bash $ linkerd diagnostics controller-metrics | grep server_port_subscribers # HELP server_port_subscribers Number of subscribers to Server changes associated with a pod's port. # TYPE server_port_subscribers gauge server_port_subscribers{name="emoji",namespace="emojivoto",port="4191"} 1 server_port_subscribers{name="linkerd",namespace="linkerd",port="4191"} 1 server_port_subscribers{name="linkerd",namespace="linkerd",port="9990"} 1 server_port_subscribers{name="linkerd",namespace="linkerd",port="9995"} 1 server_port_subscribers{name="linkerd",namespace="linkerd",port="9996"} 1 server_port_subscribers{name="linkerd",namespace="linkerd",port="9997"} 1 server_port_subscribers{name="metrics",namespace="linkerd-viz",port="4191"} 1 server_port_subscribers{name="metrics",namespace="linkerd-viz",port="9995"} 1 server_port_subscribers{name="tap",namespace="linkerd-viz",port="4191"} 1 server_port_subscribers{name="tap",namespace="linkerd-viz",port="9995"} 1 server_port_subscribers{name="tap",namespace="linkerd-viz",port="9998"} 1 server_port_subscribers{name="vote",namespace="emojivoto",port="4191"} 1 server_port_subscribers{name="voting",namespace="emojivoto",port="4191"} 1 server_port_subscribers{name="web",namespace="emojivoto",port="4191"} 1 server_port_subscribers{name="web",namespace="linkerd-viz",port="4191"} 1 server_port_subscribers{name="web",namespace="linkerd-viz",port="9994"} 1 ``` And when scaling down the voting deployment, one can see how the metric with `name="voting"` is removed. Signed-off-by: Eric Anderson <eric@buoyant.io>
Fixes #10762 The Linkerd control plane chart contains a Lease resource which is used by the Policy controller to do leader election. ArgoCD considers Leases to be runtime resources and will not deploy them. This means that Linkerd will not work for users of ArgoCD. We remove the policy-controller-write Lease resource from the Helm chart and instead have the policy controller create this resource at startup. We create it with an `Apply` patch with `resourceVersion="0"`. This ensures that the Lease resource will only be created if it does not already exist and that if there are multiple replicas of the policy controller starting up at once, only one of them will create the Lease resource. We also set the `linkerd-destination` Deployment as the owner reference of the Lease resource. This means that when the `linkerd-destination` Deployment is deleted (for example, when Linkerd is uninstalled) then the Lease will be garbage collected by Kubernetes. Signed-off-by: Alex Leong <alex@buoyant.io> Signed-off-by: Eric Anderson <eric@buoyant.io>
Currently, the proxy injector will expand lists of opaque port ranges into lists of individual port numbers. This is because the proxy has historically not accepted port ranges in the `LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION` environment variable. However, when very large ranges are used, the size of the injected manifest can be quite large, since each individual port number in a range must be listed separately. Proxy PR linkerd/linkerd2-proxy#2395 changed the proxy to accept ranges as well as individual port numbers in the opaque ports environment variable, and this change was included in the latest proxy release (v2.200.0). This means that the proxy-injector no longer needs to expand large port ranges into individual port numbers, and can now simply forward the list of ranges to the proxy. This branch changes the proxy injector to do this, resolving issues with manifest size due to large port ranges. Closes #9803 Signed-off-by: Eric Anderson <eric@buoyant.io>
Signed-off-by: Eric Anderson <eric@buoyant.io>
Signed-off-by: Eric Anderson <eric@buoyant.io>
Signed-off-by: Eric Anderson <eric@buoyant.io>
Signed-off-by: Eric Anderson <eric@buoyant.io>
…o remove bad merge changes Signed-off-by: Eric Anderson <eric@buoyant.io>
Signed-off-by: Eric Anderson <eric@buoyant.io>
risingspiral
force-pushed
the
eric/stable-2.13.3
branch
from
d54a8ca
to
334f76f
Compare
added 2 commits
May 8, 2023 09:21
Signed-off-by: Eric Anderson <eric@buoyant.io>
hawkw
reviewed
May 8, 2023
Signed-off-by: Eric Anderson <eric@buoyant.io>
Signed-off-by: Eric Anderson <eric@buoyant.io>
Clean up language Co-authored-by: Eliza Weisman <eliza@buoyant.io>
Fixing formatting Co-authored-by: Eliza Weisman <eliza@buoyant.io>
adleong
approved these changes
May 8, 2023
added 2 commits
May 8, 2023 13:05
…hanged. Signed-off-by: Eric Anderson <eric@buoyant.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This stable release improves compatibility with ArgoCD by changing the Linkerd
control plane to create Lease resources at runtime rather than including them
in the Helm chart. It also addresses a CVE by upgrading an underlying
dependency.