Stable 2.12.5+plaid 1 :: [PATCH] Fix bug where topology routing would not disable while service was under load.

.github/actions/rust-docker-build/action.yml

@@ -42,7 +42,8 @@ runs:
           -f ./${{ inputs.component-path }}/${{ inputs.arch }}.dockerfile \
           --tag=ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}:${{ inputs.tag }}-${{ inputs.arch }} \
           --cache-from type=local,src=${{ runner.temp }}/.buildx-cache \
-          --cache-to type=local,dest=${{ runner.temp }}/.buildx-cache,mode=max
+          --cache-to type=local,dest=${{ runner.temp }}/.buildx-cache,mode=max \
+          --provenance=false
 
 outputs:
   image:

.github/workflows/integration.yml

@@ -256,8 +256,8 @@ jobs:
           #- helm-upgrade
           - multicluster
           - uninstall
-          - upgrade-edge
-          - upgrade-stable
+          # - upgrade-edge
+          # - upgrade-stable
     continue-on-error: true
     runs-on: ubuntu-20.04
     timeout-minutes: 15

.github/workflows/release.yml

@@ -12,6 +12,7 @@ permissions:
 env:
   GH_ANNOTATION: true
   DOCKER_REGISTRY: ghcr.io/linkerd
+  K3D_VERSION: v5.4.4
 
 jobs:
   # TODO(ver) We should stop relying so heavily on the environment,
@@ -145,7 +146,7 @@ jobs:
       uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
     - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
       with:
-        go-version: '1.17'
+        go-version: '1.18'
     - name: Download image archives
       uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
       with:
@@ -170,16 +171,16 @@ jobs:
         # Skipping Helm upgrade test given chart in 2.11 is backwards-incompatible
         #- helm-upgrade
         - uninstall
-        - upgrade-edge
-        - upgrade-stable
+        # - upgrade-edge
+        # - upgrade-stable
     timeout-minutes: 60
     runs-on: ubuntu-20.04
     steps:
     - name: Checkout code
       uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
     - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
       with:
-        go-version: '1.17'
+        go-version: '1.18'
     - name: Set environment variables from scripts
       run: |
         TAG='${{ needs.tag.outputs.tag }}'
@@ -196,44 +197,44 @@ jobs:
         bin/tests --images preload --name ${{ matrix.integration_test }} "$CMD"
 
   arm64_integration_tests:
-    name: ARM64 integration tests
-    timeout-minutes: 60
-    runs-on: ubuntu-20.04
     needs: [tag, docker_build, policy_controller_manifest]
+    runs-on: [self-hosted, Linux, ARM64]
+    timeout-minutes: 30
     steps:
-    - name: Checkout code
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
-    - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
-      with:
-        go-version: '1.17'
-    - name: Set environment variables from scripts
-      run: |
-        TAG='${{ needs.tag.outputs.tag }}'
-        CMD="$PWD/target/release/linkerd2-cli-$TAG-linux-amd64"
-        echo "CMD=$CMD" >> "$GITHUB_ENV"
-        echo "TAG=$TAG" >> "$GITHUB_ENV"
-    - name: Install linkerd CLI
-      run: |
-        bin/docker-pull-binaries "$TAG"
-        "$CMD" version --client
-        # validate CLI version matches the repo
-        [[ "$TAG" == "$($CMD version --short --client)" ]]
-        echo "Installed Linkerd CLI version: $TAG"
-    - name: Set KUBECONFIG environment variables
-      run: |
-        mkdir -p "$HOME"/.kube
-        echo "${{ secrets.ARM64_KUBECONFIG }}" > "$HOME"/.kube/config
-        echo "KUBECONFIG=$HOME/.kube/config" >> "$GITHUB_ENV"
-        kubectl cluster-info
-    - name: Run integration tests
-      env:
-        RUN_ARM_TEST: 1
-        LINKERD_DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}
-      run: bin/tests --name deep --images preload --skip-cluster-create "$CMD"
-    - run: go test -cover -race -v -mod=readonly ./cni-plugin/test -integration-tests
-    # Cleanup may fail if other steps didn't run. Ignore the error.
-    - run: bin/test-cleanup "$CMD" || true
-      if: always()
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+        with:
+          go-version: '1.18'
+      - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25
+      - name: Pull linkerd binary
+        run: |
+          TAG='${{ needs.tag.outputs.tag }}'
+          bin/docker-pull-binaries "$TAG"
+          CMD="$PWD/target/release/linkerd2-cli-$TAG-linux-arm64"
+          echo "CMD=$CMD" >> "$GITHUB_ENV"
+          "$CMD" version --client
+      - uses: extractions/setup-just@95b912dc5d3ed106a72907f2f9b91e76d60bdb76
+      - uses: azure/setup-kubectl@7f7e5ba5ea3e491b92e6e8e5819963f8f3a1f076
+      - name: Setup k3d
+        run: |
+          mkdir -p "$PWD/target/bin"
+          PATH=$PATH:"$PWD/target/bin"
+          echo "PATH=$PATH" >> "$GITHUB_ENV"
+          bin/scurl "https://raw.githubusercontent.com/k3d-io/k3d/${{ env.K3D_VERSION }}/install.sh" \
+            | USE_SUDO=false K3D_INSTALL_DIR=$PWD/target/bin bash
+      - name: Cluster setup
+        run: |
+         CLUSTER_NAME=$(printf "${{ github.ref_name }}" | tr -c '[:alnum:]' -)
+         echo "CLUSTER_NAME=$CLUSTER_NAME" >> "$GITHUB_ENV"
+         just k3d-name="$CLUSTER_NAME" k3d-create
+         just k3d-name="$CLUSTER_NAME" k3d-use
+      - env:
+          RUN_ARM_TEST: 1
+          LINKERD_DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}
+        run: go test ./test/integration/deep/... --integration-tests --linkerd "$CMD"
+      - name: Delete cluster
+        if: always()
+        run: just k3d-name="$CLUSTER_NAME" k3d-delete
 
   choco_pack:
     # only runs for stable tags. The conditionals are at each step level instead of the job level

.golangci.yml

@@ -48,6 +48,14 @@ linters:
   disable:
   - structcheck
 
+linters-settings:
+  revive:
+    rules:
+    - name: package-comments
+      disabled: true
+  stylecheck:
+    checks: ["ST1019"]
+
 issues:
   exclude-use-default: false
   exclude-rules:

.proxy-version

@@ -1 +1 @@
-v2.187.0
+v2.188.0

BUILD.md

@@ -41,7 +41,7 @@ about testing from source can be found in the [TEST.md](TEST.md) guide.
   - [Making changes to the chart templates](#making-changes-to-the-chart-templates)
   - [Generating Helm charts docs](#generating-helm-charts-docs)
   - [Using helm-docs](#using-helm-docs)
-  - [Annotating values.yml](#annotating-valuesyml)
+  - [Annotating values.yaml](#annotating-valuesyaml)
   - [Markdown templates](#markdown-templates)
 
 ## Repo layout
@@ -510,8 +510,8 @@ the templates.
 
 ### Generating Helm charts docs
 
-Whenever a new chart is created, or updated a README should be generated from
-the chart's values.yml. This can be done by utilizing the bundled
+Whenever a new chart is created or updated a README should be generated from
+the chart's `values.yaml`. This can be done by utilizing the bundled
 [helm-docs](https://github.com/norwoodj/helm-docs) binary. For adding additional
 information, such as specific installation instructions a README template is
 required to be created. Check existing charts for examples.
@@ -531,9 +531,9 @@ Note:
 The tool searches through the current directory and sub-directories by default.
 For additional information checkout their repo above.
 
-#### Annotating values.yml
+#### Annotating values.yaml
 
-To allow helm-docs to properly document the values in values.yml a descriptive
+To allow helm-docs to properly document the values in `values.yaml` a descriptive
 comment is required. This can be done in two ways.
 Either comment the value directly above with
 `# -- This is a really nice value` where the double dashes automatically

CHANGES.md

@@ -1,5 +1,122 @@
 # Changes
 
+## stable-2.12.5
+
+This stable release fixes an incompatibility issue with the AWS CNI addon in EKS
+that was forbidding pods to acquire networking after scaling up nodes (thanks
+@frimik!). It also includes security updates for dependencies.
+
+* Detached the linkerd-cni plugin's version from linkerd's and bumped to v1.1.1
+  to fix incompatibility with EKS' AWS CNI addon
+* Bumped the memory limit for the no-op init container to 25Mi to address issues
+  on OKE environments
+* Updated `h2` dependency in the policy controller to include a patch for a
+  theoretical denial-of-service vulnerability discovered in CVE-2023-26964
+* Updated `openssl` dependency in the policy controller, addressing
+  RUSTSEC-2023-0022, RUSTSEC-2023-0023 and RUSTSEC-2023-0024
+
+## stable-2.12.4
+
+This stable release fixes a memory leak in the Destination controller, and also
+includes other bug fixes for the Linkerd control plane, CLI, and extensions.
+
+* CLI
+  * Fixed an issue in the CLI where `--identity-external-ca` would set an
+    incorrect field (thanks @anoxape!)
+
+* Control Plane
+  * Fixed an issue in the destination controller's cache that could result in
+    stale endpoints when using EndpointSlice objects
+  * Fixed control plane components failing liveness probes while waiting for
+    caches to sync, which could prevent the control plane from starting in large
+    clusters
+  * Fixed a memory leak in the Destination controller
+
+* linkerd-proxy-init
+  * Added resource limits for `noop` init container, to support environments
+    where resource quotas are required
+
+* Helm
+  * Added namespace to namespace-metadata resources in Helm (thanks
+    @joebowbeer!)
+  * Fixed potential nil pointer dereference errors in template evaluation
+
+* Extensions
+  * Fixed an issue where `linkerd viz tap` would display wrong latency/duration
+    value (thanks @olegy2008!)
+
+## stable-2.12.3
+
+This stable release is packed with various fixes in both the core linkerd
+controllers and extensions.
+
+* CLI
+  * Fixed `linkerd check` failing when the cluster had services of type
+    `ExternalName`
+  * Fixed `linkerd multicluster install` not honoring the `gateway.UID` setting
+  * Fixed flag `linkerd upgrade --from-manifests`
+
+* Destination Controller
+  * Fixed race condition in destination controller
+  * Fixed issue in the destination controller where `hostPort` mappings were
+    being ignored
+
+* linkerd-proxy-init
+  * Set the `noop` init container user to be the same as `proxy-init`'s to avoid
+    errors when the security context disallows running as root
+  * Introduced `proxyInit.privileged` setting to allow running
+    `linkerd-proxy-init` without restrictions when required
+  * Added port 6443 to default skipped ports to bypass proxy when ebpf CNIs
+    override the API Server packet destination
+
+* Extensions
+  * Removed unnecessary `proxyProtocol` restriction in the multicluster gateway
+    Server (thanks @psmit!)
+  * Added "Exists" toleration to the `linkerd-cni` DaemonSet to have it
+    installed by default in tainted nodes
+  * Make dashboard loading more robust when in the presence of browser plugins
+    injecting script tags (thanks @junnplus!)
+
+## stable-2.12.2
+
+This stable release fixes an issue with CNI chaining that was preventing the
+Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also
+fixes some sections of the Viz dashboard appearing blank, and adds an optional
+PodMonitor resource to the Helm chart to enable easier integration with the
+Prometheus Operator. Several other fixes are included.
+
+* Proxy
+  * Fixed proxies emitting some duplicate inbound metrics
+
+* Control Plane
+  * Fixed handling of `.conf` files in the CNI plugin so that the Linkerd CNI
+    plugin can be used alongside other CNI plugins such as Cilium
+  * Added a noop init container to injected pods when the CNI plugin is enabled
+    to prevent certain scenarios where a pod can get stuck without an IP address
+  * Fixed the `NotIn` label selector operator in the policy resources being
+    erroneously treated as `In`.
+  * Fixed a bug where the`config.linkerd.io/proxy-version` annotation could be
+    empty
+
+* CLI
+  * Added a `linkerd diagnostics policy` command to inspect Linkerd policy state
+  * Added a check that ClusterIP services are in the cluster networks
+  * Expanded the `linkerd authz` command to display AuthorizationPolicy
+    resources that target namespaces (thanks @aatarasoff!)
+  * Fixed warning logic in the "linkerd-viz ClusterRoles exist" and "linkerd-viz
+    ClusterRoleBindings exist" checks in `linkerd viz check`
+  * Fixed the CLI ignoring the `--api-addr` flag (thanks @mikutas!)
+
+* Helm
+  * Added an optional PodMonitor resource to the main Helm chart (thanks
+    @jaygridley!)
+
+* Dashboard
+  * Fixed the dashboard sections Tap, Top, and Routes appearing blank (thanks
+    @MoSattler!)
+  * Updated Grafana dashboards to use variable duration parameter so that they
+    can be used when Prometheus has a longer scrape interval (thanks @TarekAS)
+
 ## edge-22.10.2
 
 This edge release fixes an issue with CNI chaining that was preventing the