This release introduces direct pod-to-pod multicluster service mirroring. When
clusters are deployed on a flat network, Linkerd can export multicluster
services in a way where cross-cluster traffic does not need to go through the
gateway. This enhances multicluster authentication and can reduce the need for
provisioning public load balancers.
In addition, this release adds support for the
Gateway API HTTPRoute resource (in the
gateway.networking.k8s.io api group). This improves compatibility with other
tools that use these resources such as Flagger and
Argo Rollouts. The release also includes
a large number of features and improvements to HTTPRoute including the ability
to set timeouts and the ability to define consumer-namespace HTTPRoutes.
Finally, this release includes a number of bugfixes, performance improvements,
and other smaller additions.
Upgrade notes: Please see the
upgrade instructions.
- Multicluster
- Remove namespace field from cluster scoped resources to fix pruning
- Added -o json flag for the linkerd multicluster gateways command (thanks
@hiteshwani29)
- Introduced logFormat value to the multicluster Link Helm Chart (thanks
@bunnybilou!)
- Added leader-election capabilities to the service-mirror controller
- Added high-availability (HA) mode for the multicluster service-mirror
- Added a new remoteDiscoverySelector field to the multicluster Link CRD,
which enables a service mirroring mode where the control plane
performs discovery for the mirrored service from the remote cluster, rather
than creating Endpoints for the mirrored service in the source cluster
- HTTPRoute
- Fixed linkerd uninstall issue for HTTPRoute
Added support for gateway.networking.k8s.io HTTPRoutes in the policy
controller
- Added support for RequestHeaderModifier and RequestRedirect HTTP filters in
outbound policy; filters may be added at the route or backend level
- Added support for the ResponseHeaderModifier HTTPRoute filter
- Added support for HTTPRoutes defined in the consumer namespace
- Added support for HTTPRoute parent_refs that do not specify a port
- CRDs
- Patched the MeshTLSAuthentication CRD to force providing at least one
identity/identityRef
- Control Plane
- Send Opaque protocol hint for opaque ports in destination controller
- Replaced deprecated failure-domain.beta.kubernetes.io/zone labels in Helm
charts with topology.kubernetes.io/zone labels (thanks @piyushsingariya!)
- Replaced server_port_subscribers Destination controller gauge metric with
server_port_subscribes and server_port_unsubscribes counter metrics
- Proxy
- Handle Opaque protocol hints on endpoints
- Added outbound_http_balancer_endpoints metric
- Fixed missing route_ metrics for requests with * ServiceProfiles
- Fixed proxy startup failure when using the config.linkerd.io/admin-port
annotation (thanks @jclegras!)
- Added distinguishable version information to proxy logs and metrics
- CLI
- The linkerd diagnostics policy command now displays outbound policy when
the target resource is a Service
- A fix for HA validation checks when Linkerd is installed with Helm. Thanks
@mikutas!!
- Viz
- Add the kubelet NetworkAuthentication back since it is used by the
linkerd viz allow-scrapes subcommand.
- Fixed the linkerd viz check command so that it will wait until the viz
extension becomes ready
- Fixed an issue where specifying a remote_write config would cause the
Prometheus config to be invalid (thanks @hiteshwani29)
- Improved validation of the --to and --from flags for the linkerd viz stat
command (thanks @pranoyk)
- Added -o jsonpath flag to linkerd viz tap to allow filtering output fields
(thanks @hiteshwani29!)
- Fixed a Grafana error caused by an incorrect datasource (thanks @albundy83!)
- Fixed missing "Services" menu item in the Spanish localization for the linkerd-viz web dashboard (thanks @mclavel!)
- Extensions
- Added missing label linkerd.io/extension to certain resources to ensure they
pruned when appropriate (thanks @ClementRepo)
- Added tolerations and nodeSelector support in extensions namespace-metadata
Jobs (thanks @pssalman!)
- Init Containers
- Added an option for disabling the network validator's security context for
environments that provide their own
- CNI
- Added --set flag to install-cni plugin (thanks @amit-62!)
- Fixed missing resource-cni labels on linkerd-cni, this blocked the
linkerd-cni pods from coming up when the injector was broken (thanks
@migueleliasweb!)
- Build
- Build improvements for multi-arch build artifacts. Thanks @MarkSRobinson!!
Outstanding!! Bookmarked, thank you!