Alpeb/stable 2.9.1 (#25)

* proxy: v2.119.0 (linkerd#5200) This release modifies the default idle timeout to 5s for outbound clients and 20s for inbound clients. This prevents idle clients from consuming memory at the cost of performing more discovery resolutions for periodic but infrequent traffic. This is intended to reduce the proxy's memory footprint, especially on Prometheus instances. The proxy's *ring* and rustls dependencies have also been updated. --- * Update *ring* and rustls dependencies (linkerd/linkerd2-proxy#735) * http: Configure client connection pools (linkerd/linkerd2-proxy#734) * Add endpoint to GetProfile response (linkerd#5227) Context: linkerd#5209 This updates the destination service to set the `Endpoint` field in `GetProfile` responses. The `Endpoint` field is only set if the IP maps to a Pod--not a Service. Additionally in this scenario, the default Service Profile is used as the base profile so no other significant fields are set. ### Examples ``` # GetProfile for an IP that maps to a Service ❯ go run controller/script/destination-client/main.go -method getProfile -path 10.43.222.0:9090 INFO[0000] fully_qualified_name:"linkerd-prometheus.linkerd.svc.cluster.local" retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} dst_overrides:{authority:"linkerd-prometheus.linkerd.svc.cluster.local.:9090" weight:10000} ``` Before: ``` # GetProfile for an IP that maps to a Pod ❯ go run controller/script/destination-client/main.go -method getProfile -path 10.42.0.20 INFO[0000] retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} ``` After: ``` # GetProfile for an IP that maps to a Pod ❯ go run controller/script/destination-client/main.go -method getProfile -path 10.42.0.20 INFO[0000] retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} endpoint:{addr:{ip:{ipv4:170524692}} weight:10000 metric_labels:{key:"control_plane_ns" value:"linkerd"} metric_labels:{key:"deployment" value:"fast-1"} metric_labels:{key:"pod" value:"fast-1-5cc87f64bc-9hx7h"} metric_labels:{key:"pod_template_hash" value:"5cc87f64bc"} metric_labels:{key:"serviceaccount" value:"default"} tls_identity:{dns_like_identity:{name:"default.default.serviceaccount.identity.linkerd.cluster.local"}} protocol_hint:{h2:{}}} ``` Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com> * cli: Fix custom namespace installation (linkerd#5241) The `--linkerd-namespace` flag was not honored by the `install` command. This change updates the install templating to use the value of this flag. * cli: Don't check for SAN in root and intermediate certs (linkerd#5237) As discussed in linkerd#5228, it is not correct for root and intermediate certs to have SAN. This PR updates the check to not verify the intermediate issuer cert with the identity dns name (which checks with SAN and not CN as the the `verify` func is used to verify leaf certs and not root and intermediate certs). This PR also avoids setting a SAN field when generating certs in the `install` command. Fixes linkerd#5228 * proxy: v2.121.0 (linkerd#5253) This release changes error handling to teardown the server-side connection when an unexpected error is encountered. Additionally, the outbound TCP routing stack can now skip redundant service discovery lookups when profile responses include endpoint information. Finally, the cache implementation has been updated to reduce latency by removing unnecessary buffers. --- * h2: enable HTTP/2 keepalive PING frames (linkerd/linkerd2-proxy#737) * actions: Add timeouts to GitHub actions (linkerd/linkerd2-proxy#738) * outbound: Skip endpoint resolution on profile hint (linkerd/linkerd2-proxy#736) * Add a FromStr for dns::Name (linkerd/linkerd2-proxy#746) * outbound: Avoid redundant TCP endpoint resolution (linkerd/linkerd2-proxy#742) * cache: Make the cache cloneable with RwLock (linkerd/linkerd2-proxy#743) * http: Teardown serverside connections on error (linkerd/linkerd2-proxy#747) * Check correct label value when setting protocl hint (linkerd#5267) This fixes an issue where the protocol hint is always set on endpoint responses. We now check the right value which determines if the pod has the required label. A test for this has been added to linkerd#5266. Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com> * proxy: v2.122.0 (linkerd#5279) This release addresses some issues reported around clients seeing max-concurrency errors by increasing the default in-flight request limit to 100K pending requests. Additionally, the proxy now sets an appropriate content-type when synthesizing gRPC error responses. --- * style: fix some random clippy lints (linkerd/linkerd2-proxy#749) * errors: Set `content-type` for synthesized grpc errors (linkerd/linkerd2-proxy#750) * concurrency-limit: Drop permit on readiness (linkerd/linkerd2-proxy#751) * Increase the default buffer capacity to 100K (linkerd/linkerd2-proxy#752) * Change default max-in-flight and buffer-capacity (linkerd/linkerd2-proxy#753) * notes for 2.9.1 Co-authored-by: Oliver Gould <ver@buoyant.io> Co-authored-by: Kevin Leimkuhler <kevin@kleimkuhler.com> Co-authored-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
alpeb · Dec 1, 2020 · 78f701c · 78f701c
1 parent 2ff70d4
commit 78f701c
Show file tree

Hide file tree

Showing 19 changed files with 376 additions and 402 deletions.
diff --git a/.proxy-version b/.proxy-version
@@ -1 +1 @@
-v2.118.0
+v2.122.0
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,9 @@
 # Changes
 
+## stable-2.9.1
+
+Some notes
+
 ## stable-2.9.0
 
 This release extends Linkerd's zero-config mutual TLS (mTLS) support to all TCP

diff --git a/cli/cmd/install.go b/cli/cmd/install.go
@@ -294,6 +294,10 @@ func install(ctx context.Context, w io.Writer, values *l5dcharts.Values, flags [
 }
 
 func render(w io.Writer, values *l5dcharts.Values, stage string) error {
+
+	// Set any global flags if present, common with install and upgrade
+	values.Global.Namespace = controlPlaneNamespace
+
 	// Render raw values and create chart config
 	rawValues, err := yaml.Marshal(values)
 	if err != nil {

diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go
@@ -462,7 +462,6 @@ func TestValidate(t *testing.T) {
 			{"valid", ""},
 			{"expired", "failed to validate issuer credentials: not valid anymore. Expired on 1990-01-01T01:01:11Z"},
 			{"not-valid-yet", "failed to validate issuer credentials: not valid before: 2100-01-01T01:00:51Z"},
-			{"wrong-domain", "failed to validate issuer credentials: x509: certificate is valid for wrong.linkerd.cluster.local, not identity.linkerd.cluster.local"},
 			{"wrong-algo", "failed to validate issuer credentials: must use P-256 curve for public key, instead P-521 was used"},
 		}
 		for _, tc := range testCases {

diff --git a/cli/cmd/options.go b/cli/cmd/options.go
@@ -571,7 +571,7 @@ func validateValues(ctx context.Context, k *k8s.KubernetesAPI, values *l5dcharts
 		if err != nil {
 			return err
 		}
-		_, err = externalIssuerData.VerifyAndBuildCreds(issuerName(values.Global.IdentityTrustDomain))
+		_, err = externalIssuerData.VerifyAndBuildCreds()
 		if err != nil {
 			return fmt.Errorf("failed to validate issuer credentials: %s", err)
 		}
@@ -583,7 +583,7 @@ func validateValues(ctx context.Context, k *k8s.KubernetesAPI, values *l5dcharts
 			IssuerKey:    values.Identity.Issuer.TLS.KeyPEM,
 			TrustAnchors: values.Global.IdentityTrustAnchorsPEM,
 		}
-		_, err := issuerData.VerifyAndBuildCreds(issuerName(values.Global.IdentityTrustDomain))
+		_, err := issuerData.VerifyAndBuildCreds()
 		if err != nil {
 			return fmt.Errorf("failed to validate issuer credentials: %s", err)
 		}