Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

v1.2.0
Compare
Choose a tag to compare
@github-actions github-actions released this 20 Jul 21:58
v1.2.0
893ff87
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Notable changes

  • Custom trust domains (i.e. certificate CommonNames) are now supported
  • The authentication token used to configure the Hashicorp Vault certificate provider can now be passed in using a secretRef
  • Envoy has been updated to v1.22 and uses the envoyproxy/envoy-distroless image instead of the deprecated envoyproxy/envoy-alpine image.
    • This means that kubectl exec -c envoy ... -- sh will no longer work for the Envoy sidecar
  • Added support for Kubernetes 1.23 and 1.24
  • Rate limiting: Added capability to perform local per-instance rate limiting of TCP connections and HTTP requests.
  • Statefulsets and headless services have been fixed and work as expected

Breaking Changes

  • The following metrics no longer use the label common_name, due to the fact that the common name's trust domain can rotate. Instead 2 new labels, proxy_uuid and identity have been added.
    • osm_proxy_response_send_success_count
    • osm_proxy_response_send_error_count
    • osm_proxy_xds_request_count
  • Support for Kubernetes 1.20 and 1.21 has been dropped
  • Multi-arch installation supported by the Chart Helm by customizing the affinity and nodeSelector fields
  • Root service in a TrafficSplit configuration must have a selector matching the pods backing the leaf services. The legacy behavior where a root service without a selector matching the pods backing the leaf services is able to split traffic, has been removed.

CRD Updates

No CRD changes between tags v1.1.1 and v1.2.0

Changelog

  • chore(release): cut v1.2.0 (#4927) 893ff87 (Jon Huhn)
  • chore(release): add missing cherry picks (#4932) 4c832d1 (Jon Huhn)
  • fix: update v1.2 release notes (#4916) (#4918) 929c114 (Jackie Elliott)
  • demo/scripts: fix bookstore app label and container name (#4910) 9749020 (Shashank Ram)
  • [backport] traffic-split: update root service selector & targetPort usage (#4902) (#4905) f5f3603 (Shashank Ram)
  • Fix Contour helm chart (#4901) 951d403 (Keith Mattix II)
  • update release versions and image digests (#4886) d40f9b8 (steeling)
  • rename test files to include _test suffix (#4882) 3a7c924 (steeling)
  • Modify release notes (#4865) 84e2bf1 (Keith Mattix II)
  • Plumb trust domain through to helm chart (#4877) c0264ec (Keith Mattix II)
  • Add GitHub Action to require size and kind labels (#4876) 4da737e (Thomas Stringer)
  • ref: use binary flag to enable use of MeshRootCertificate (#4871) aa1abf1 (Jackie Elliott)
  • test((benchmark): add Golang benchmark test cases c7036e7 (Allen Leigh)
  • small cert related changes. (#4870) fa17242 (steeling)
  • Refactor Envoy bootstrap from BuildFromConfig() to Builder{}.Build() + health probe tests (#4858) 3bf989a (steeling)
  • Abstract webhook logic to prepare for rotating certificates (#4833) c8d7559 (steeling)
  • Ignore CODEOWNERS and OWNERS for CI (#4867) 2b7c781 (Thomas Stringer)
  • self-nominate steeling as a maintainer (#4824) 854edda (steeling)
  • Add @keithmattix as a codeowner maintainer (#4861) 9d5e442 (Thomas Stringer)
  • Don't allow envoy sidecar privilege escalation (#4860) 80de3bb (Keith Mattix II)
  • Fix MRC status (#4856) bb007fd (Keith Mattix II)
  • validator: validate HTTP rate limiting status code (#4857) 4a1b993 (Shashank Ram)
  • release-notes: add rate limiting to v1.2 notes (#4859) 9222555 (Shashank Ram)
  • Separate bootstrap building logic into the envoy/bootstrap package (#4838) 226ee64 (steeling)
  • Customize affinity, nodeSelectors and tolerations in values.yaml (#4842) 45b19ea (Shalier Xia)
  • fix: update configClient call and logging (#4854) d970b24 (Jackie Elliott)
  • feat(certs): get Vault token from Secret (#4753) baff85f (Jackie Elliott)
  • Fix flaky e2e tests (#4844) 4a3d57d (Keith Mattix II)
  • rate-limiting: add HTTP local rate limiting capability (#4846) f3966a3 (Shashank Ram)
  • install: use friendlier defaults for egress and permissive mode (#4837) 8fd236e (steeling)
  • Update Kubernetes version testing (#4836) 831f023 (Thomas Stringer)
  • envoy: update to latest version and fix typed proto usage (#4834) 08c646b (Shashank Ram)
  • fix(certs): update checkAndRotate to use current durations (#4800) 28b3238 (Jackie Elliott)
  • cli: Shows message for no meshes (#4738) 905005f (mudit singh)
  • Fix failing e2es with GinkgoRecover and resolve CVE-2022-28948 (#4832) 8da8732 (Jackie Elliott)
  • cert: Use MRCs on startup (#4816) 30885c9 (Keith Mattix II)
  • start with a clean slate for future multicluster work (#4805) e3700d6 (steeling)
  • feat(certs): use State for MeshRootCertificate status (#4812) 46b7165 (schristoff)
  • Leverage trust domain in issuing certs; remove TD from identity (#4782) 5ab34a3 (steeling)
  • doc: use lower case for "cloud native" (#4792) 8b1c3cc (mudit singh)
  • rate-limit: implement connection level local rate limiting (#4823) ac27868 (Shashank Ram)
  • cli: Improved error handling (#4808) 327b5b0 (mudit singh)
  • envoy/cds: add nil check for ConnectionSettings (#4821) a5b3716 (Shashank Ram)
  • ref(contributors): update contributor roles and requirements (#4776) 5ee33f3 (Shalier Xia)
  • envoy|catalog: use TrafficMatch to build inbound filter config (#4814) 3f72969 (Shashank Ram)
  • Resolve CVE-2022-31030 by upgrading containerd to v1.5.13 (#4813) c90f07a (Thomas Stringer)
  • (k8s/informers): use InformerCollection for other clients (#4804) 241e8ae (Keith Mattix II)
  • rate-limiting: plumb config into inbound policies (#4807) 7046cf2 (Shashank Ram)
  • Set (empty) trust domain on listener builder (#4802) 3061b05 (steeling)
  • rate-limiting: add spec to UpstreamTrafficSetting CRD (#4803) 76ff532 (Shashank Ram)
  • k8s/informers: centralize informers to simplify code (#4801) 47c06ab (Keith Mattix II)
  • docs(README): move support to a community support file (#4785) 914e8f3 (Zach Rhoads)
  • Remove unused code paths and switch the policy object to a policy builder (#4791) eb281e5 (steeling)
  • apis: add local rate limiting to UpstreamTrafficSetting (#4796) 1e73ba3 (Shashank Ram)
  • docs(contrib): add security.md (#4722) 0ba8d42 (schristoff)
  • Increase retry timeout cert-manager (#4795) 412fbcb (Niranjan Shankar)
  • ref(*): remove CN from *envoy.Proxy (#4773) c318b68 (steeling)
  • demo: Add scripts for Kafka demo (#4770) d3596c0 (Keith Mattix II)
  • ref(certs): mrc ca handling (#4781) 6045fb7 (Keith Mattix II)
  • feat(metrics): add osm_reconciliation_total metric (#4788) 7de17d7 (Jon Huhn)
  • fix(e2e): add openshift SCC zookeeper (#4787) dd5ec72 (Niranjan Shankar)
  • feat(certs): add trust domain to mesh root certificate (#4767) c24012f (steeling)
  • Decouple certificate common name from proxy registry (#4763) 436e24f (steeling)
  • test(*): add retry policy e2e (#4600) 28ed531 (Shalier Xia)
  • ref(ci): update actions/setup-go to v3 db71482 (Jon Huhn)
  • ref(ci): run tests/scenarios as unit tests 6c38317 (Jon Huhn)
  • Decouple certificate common name from various components (#4759) ae53c47 (steeling)
  • Fix CVE-2022-28948 by patching gopkg.in/yaml.v3 (#4771) 324a1a7 (Thomas Stringer)
  • ref(e2e): move k8s version test config to CI 5ec3e75 (Jon Huhn)
  • ref(ci): remove PR/push distinction in e2e tests f73b9af (Jon Huhn)
  • feat(certs): create MRC on install (#4747) 7ddd4d1 (Jackie Elliott)
  • remove unused code paths (#4758) 27ab5a7 (steeling)
  • Add root path ingress e2e test (#4756) 15f0a18 (Niranjan Shankar)
  • fix(vulnerability): patch runc security issue by upgrading to v1.1.2 (#4760) 21d3e60 (Thomas Stringer)
  • contrib: add guideline for design docs (#4757) a241cba (Shashank Ram)
  • feat(cert): cert rotation state management (#4743) ecc4e67 (steeling)
  • Feature/statefulsets: fix protocol detection for ports (#4752) 9b11d76 (Keith Mattix II)
  • remove head of line blocking from workerpool (#4648) d1ef8b1 (steeling)
  • cli/verifier: add control plane health probe checks (#4751) dd42d04 (Shashank Ram)
  • (feat/statefulsets): MeshService API changes for Headless Services (#4704) 0af42df (Keith Mattix II)
  • fix(demo): remove unneeded port-forward for bookstore (#4740) 3395da5 (Jon Huhn)
  • ref(certs): use secretKeyRef for Vault token in MRC (#4736) 855776a (Jackie Elliott)
  • cli/verifier: use pod status conditions for readiness check (#4749) 9ffa3d3 (Shashank Ram)
  • ref(certs): unexport methods on cert manager (#4742) 21bc67d (steeling)
  • cli/verifier: add ingress verification (#4715) ec9b9f9 (Keith Mattix II)
  • feat(certificate): create a compat layer for provider generation (#4718) 00bc363 (steeling)
  • feat(envoy): allow websocket upgrade for all http connections (#4741) 96e0879 (Martin Andreas Ullrich)
  • cli/verifier: add control-plane-health command (#4734) fc638c3 (Shashank Ram)
  • feat(api/MeshRootCertificate): add informer client (#4721) 5a885ef (Jackie Elliott)
  • chore(release): update chart version (#4730) 102baf5 (Jon Huhn)
  • cli/verifier: add cluster check for egress (#4729) 53a2238 (Shashank Ram)
  • fix(demo): default USE_PRIVATE_REGISTRY to false (#4727) 6a5e689 (Jon Huhn)
  • refactor(cmd/cli): update uninstall cmd (#4664) 76d177f (Shalier Xia)
  • egress: add cli verifier and rename traffic match (#4724) a6d71d2 (Shashank Ram)
  • policy: Updates retry policy API (#4627) 1278055 (Shalier Xia)
  • ref(cert): update Manager to support mult clients (#4705) a8330dc (Jackie Elliott)
  • cli/verifier: add stubs for egress checks (#4719) 87b709d (Shashank Ram)
  • cli/verifier: verify presence of secrets (#4714) 55bdb17 (Shashank Ram)
  • Fix e2e_client_server_connectivity_test noInstall (#4708) 1e7d22a (Niranjan Shankar)
  • refactor k8s root ca secret access (#4657) bd5247b (steeling)
  • ref(certs): refactor k8s root ca secret access (#4657) 896fb7a (steeling)
  • crds: add MeshRootCertificate CRD (#4687) 19eb161 (Jackie Elliott)
  • docs(contrib): recommend not rewriting git history (#4709) 876579b (Jon Huhn)
  • bugreport: collect more ingress & control plane info (#4703) 13802e8 (Shashank Ram)
  • pkg/injector: Enable podIP proxying via meshconfig setting (#4701) 0ad92c9 (Keith Mattix II)
  • add the last applied annotation to allow using kubectl apply on the mesh config (#4673) 63715c0 (steeling)
  • feat(injector): add list of ignored network interfaces (#4700) f922b5c (Jon Huhn)
  • cli/verifier: check presence of service cluster (#4695) ddd10e2 (Shashank Ram)
  • config/meshConfig: New localProxyMode field (#4686) 86690a3 (Keith Mattix II)
  • feat(certificates) rework cert manager, integrate rotor (#4645) d485366 (schristoff)
  • fix(certificates): fail politely in tresor's cert issuer (#4696) ce2a0e5 (schristoff)
  • cli/verifier: derive appProtocol from service (#4691) 77b4dd8 (Shashank Ram)
  • Support pod recreation for the kubectl debug command. (#4688) 0a1653e (steeling)
  • cli/verifier: verify basic HTTP route configs (#4682) 24a494b (Shashank Ram)
  • Revert "config/meshConfig: New localProxyMode field (#4671)" (#4684) bc3ff99 (Keith Mattix II)
  • config/meshConfig: New localProxyMode field (#4671) (#4680) a8a3dbb (steeling)
  • apis: add MeshRootCertificate API types (#4677) 455887d (Jackie Elliott)
  • ref(injector): load bootstrap SDS configuration from filesystem (#4635) 0163584 (Jackie Elliott)
  • fix(doc): update release guide (#4661) 4f204dd (Jon Huhn)
  • feat(metrics): add osm_events_queued metric (#4670) 4cd4f6a (Jon Huhn)
  • config/meshConfig: New localProxyMode field (#4671) 966405b (Keith Mattix II)
  • IngressBackend UpstreamTrafficSetting validations (#4640) a54b404 (Keith Mattix II)
  • expose the version information via prometheus (#4679) 1faa13a (steeling)
  • fix: upgrade vulnerable library crypto (#4676) 1550133 (allenlsy)
  • ref(test): migrate e2e app to Fortio (#4631) cf1395e (allenlsy)
  • cli/verifier: verify destination for connectivity config (#4672) f04a613 (Shashank Ram)
  • chore(release): Update Chart.yaml to use release v1.1 (#4662) 2f36980 (schristoff)
  • envoy/verifier: add source config checker (#4658) 82492c0 (Shashank Ram)
  • update prometheus v2.34.0 (#4666) f021edd (Niranjan Shankar)
  • tests: move fakes to own sub-package (#4667) 5c966ac (Shashank Ram)
  • Reword the README note about OSM's production readiness. (#4660) 46781f2 (Thomas Stringer)
  • cli/verifier: add Envoy config dump parser (#4646) a918abf (Shashank Ram)
  • ref(smi): remove unused kubeClient from smi client (#4643) 95a898f (Deepesh Pathak)
  • cli: add verify command (#4639) 9be0fa4 (Shashank Ram)
  • Add --overwrite to kubectl label cmd in osm bootstrap (#4641) af50d17 (Niranjan Shankar)
  • fix(ci): fix lint (#4629) 9ca8e41 (Jon Huhn)

Contributors

keithmattix
Assets 13
Loading