stable-2.14.1 (#11405)

* stable-2.14.1

This stable release introduces a fix for service discovery on endpoints that
use hostPorts. Previously, the destination service would return the pod IP
associated with the endpoint which could break connectivity on pod restarts.
Discovery responses have been changed to instead return the host IP. This
release also fixes an issue in the multicluster extension where an empty
`remoteDiscoverySelector` field in the `Link` resource would cause all services
to be exported. Finally, this release addresses two security vulnerabilities,
[CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous
other fixes and enhancements.

* CLI
  * Fixed `linkerd check --proxy` incorrectly checking the proxy version of
    pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280])
  * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
    inject` (thanks @mikutas!) ([#10231])

* CNI
  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
    plugin ([#11296])

* Control Plane
  * Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts ([#11328])
  * Updated HTTPRoute webhook rule to validate all apiVersions of the resource
    (thanks @mikutas!) ([#11149])

* Helm
  * Removed unnecessary `linkerd.io/helm-release-version` annotation from the
    `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes
    [#10778])
  * Introduced resource requests/limits for the policy controller resource in
    the control plane helm chart ([#11301])

* Multicluster
  * Fixed an issue where an empty `remoteDiscoverySelector` field in a
    multicluster link would cause all services to be mirrored ([#11309])
  * Removed time out from `linkerd multicluster gateways` command; when no
    metrics exist the command will return instantly ([#11265])
  * Improved help messaging for `linkerd multicluster link` ([#11265])

* Proxy
  * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
    ([#11361])

[CVE-2023-2603]: GHSA-wp54-pwvg-rqq5
[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[#11295]: #11295
[#11280]: #11280
[#11361]: #11361
[#11329]: #11329
[#10778]: #10778
[#11309]: #11309
[#11296]: #11296
[#11328]: #11328
[#11301]: #11301
[#11265]: #11265
[#11149]: #11149
[#10231]: #10231

Signed-off-by: Matei David <[email protected]>
Signed-off-by: Eliza Weisman <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>

.proxy-version

@@ -1 +1 @@
-v2.209.0
+v2.210.0

CHANGES.md

@@ -1,5 +1,61 @@
 # Changes
 
+## stable-2.14.1
+
+This stable release introduces a fix for service discovery on endpoints that
+use hostPorts. Previously, the destination service would return the pod IP
+associated with the endpoint which could break connectivity on pod restarts.
+Discovery responses have been changed to instead return the host IP. This
+release also fixes an issue in the multicluster extension where an empty
+`remoteDiscoverySelector` field in the `Link` resource would cause all services
+to be exported. Finally, this release includes numerous other fixes and
+enhancements and addresses two security vulnerabilities,
+[CVE-2023-2603][CVE-2023-2603-stable] detected in the proxy-init runtime
+image's libcap library and [RUSTSEC-2023-0052][RUSTSEC-2023-0052-stable], a
+potential CPU usage denial-of-service attack in the proxy's `webpki` library
+dependency.
+
+* CLI
+  * Fixed `linkerd check --proxy` incorrectly checking the proxy version of
+    pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280])
+  * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
+    inject` (thanks @mikutas!) ([#10231])
+
+* CNI
+  * Addressed security vulnerability [CVE-2023-2603][CVE-2023-2603-stable] in
+    proxy-init and CNI plugin ([#11296])
+
+* Control Plane
+  * Changed how hostPort lookups are handled in the destination service.
+    Previously, when doing service discovery for an endpoint bound on a
+    hostPort, the destination service would return the corresponding pod IP. On
+    pod restart, this could lead to loss of connectivity on the client's side.
+    The destination service now always returns host IPs for service discovery
+    on an endpoint that uses hostPorts ([#11328])
+  * Updated HTTPRoute webhook rule to validate all apiVersions of the resource
+    (thanks @mikutas!) ([#11149])
+
+* Helm
+  * Removed unnecessary `linkerd.io/helm-release-version` annotation from the
+    `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes
+    [#10778])
+  * Introduced resource requests/limits for the policy controller resource in
+    the control plane helm chart ([#11301])
+
+* Multicluster
+  * Fixed an issue where an empty `remoteDiscoverySelector` field in a
+    multicluster link would cause all services to be mirrored ([#11309])
+  * Removed time out from `linkerd multicluster gateways` command; when no
+    metrics exist the command will return instantly ([#11265])
+  * Improved help messaging for `linkerd multicluster link` ([#11265])
+
+* Proxy
+  * Addressed security vulnerability
+    [RUSTSEC-2023-0052][RUSTSEC-2023-0052-stable] in the proxy ([#11361])
+
+[CVE-2023-2603-stable]: https://github.com/advisories/GHSA-wp54-pwvg-rqq5
+[RUSTSEC-2023-0052-stable]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
+
 ## edge-29.9.2
 
 This edge release updates the proxy's dependency on the `webpki` library to

charts/linkerd-control-plane/Chart.yaml

@@ -16,7 +16,7 @@ dependencies:
 - name: partials
   version: 0.1.0
   repository: file://../partials
-version: 1.16.1-edge
+version: 1.16.2
 icon: https://linkerd.io/images/logo-only-200h.png
 maintainers:
   - name: Linkerd authors

charts/linkerd-control-plane/README.md

@@ -3,7 +3,7 @@
 Linkerd gives you observability, reliability, and security
 for your microservices — with no code change required.
 
-![Version: 1.16.1-edge](https://img.shields.io/badge/Version-1.16.1--edge-informational?style=flat-square)
+![Version: 1.16.2](https://img.shields.io/badge/Version-1.16.2-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
 
@@ -256,7 +256,7 @@ Kubernetes: `>=1.21.0-0`
 | proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) |
 | proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container |
 | proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container Docker image |
-| proxyInit.image.version | string | `"v2.2.2"` | Tag for the proxy-init container Docker image |
+| proxyInit.image.version | string | `"v2.2.3"` | Tag for the proxy-init container Docker image |
 | proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used |
 | proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server |
 | proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init |

charts/linkerd-control-plane/values.yaml

@@ -217,7 +217,7 @@ proxyInit:
     # @default -- imagePullPolicy
     pullPolicy: ""
     # -- Tag for the proxy-init container Docker image
-    version: v2.2.2
+    version: v2.2.3
   resources:
     cpu:
       # -- Maximum amount of CPU units that the proxy-init container can use

charts/linkerd2-cni/Chart.yaml

@@ -9,4 +9,4 @@ description: |
 kubeVersion: ">=1.21.0-0"
 icon: https://linkerd.io/images/logo-only-200h.png
 name: "linkerd2-cni"
-version: 30.12.0-edge
+version: 30.12.1

charts/linkerd2-cni/README.md

@@ -6,7 +6,7 @@ Linkerd [CNI plugin](https://linkerd.io/2/features/cni/) takes care of setting
 up your pod's network so  incoming and outgoing traffic is proxied through the
 data plane.
 
-![Version: 30.12.0-edge](https://img.shields.io/badge/Version-30.12.0--edge-informational?style=flat-square)
+![Version: 30.12.1](https://img.shields.io/badge/Version-30.12.1-informational?style=flat-square)
 
 ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
 
@@ -31,7 +31,7 @@ Kubernetes: `>=1.21.0-0`
 | ignoreOutboundPorts | string | `""` | Default set of outbound ports to skip via iptables |
 | image.name | string | `"cr.l5d.io/linkerd/cni-plugin"` | Docker image for the CNI plugin |
 | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linkerd-cni container |
-| image.version | string | `"v1.2.1"` | Tag for the CNI container Docker image |
+| image.version | string | `"v1.2.2"` | Tag for the CNI container Docker image |
 | imagePullSecrets | list | `[]` |  |
 | inboundProxyPort | int | `4143` | Inbound port for the proxy container |
 | logLevel | string | `"info"` | Log level for the CNI plugin |

charts/linkerd2-cni/values.yaml

@@ -53,7 +53,7 @@ image:
   # -- Docker image for the CNI plugin
   name: "cr.l5d.io/linkerd/cni-plugin"
   # -- Tag for the CNI container Docker image
-  version: "v1.2.1"
+  version: "v1.2.2"
   # -- Pull policy for the linkerd-cni container
   pullPolicy: IfNotPresent
 

cli/cmd/install-cni-plugin_test.go

@@ -16,7 +16,7 @@ func TestRenderCNIPlugin(t *testing.T) {
 
 	image := cniPluginImage{
 		name:       "my-docker-registry.io/awesome/cni-plugin-test-image",
-		version:    "v1.2.1",
+		version:    "v1.2.2",
 		pullPolicy: nil,
 	}
 	fullyConfiguredOptions := &cniPluginOptions{

cli/cmd/install_cni_helm_test.go

@@ -35,7 +35,7 @@ func TestRenderCniHelm(t *testing.T) {
   			"logLevel": "debug",
 			"image": {
 				"name": "cr.l5d.io/linkerd/cni-plugin",
-				"version": "v1.2.1"
+				"version": "v1.2.2"
 			},
   			"proxyUID": 1111,
   			"destCNINetDir": "/etc/cni/net.d-test",

cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml

@@ -172,7 +172,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.2
+        image: cr.l5d.io/linkerd/proxy-init:v2.2.3
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:

cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml

@@ -172,7 +172,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.2
+        image: cr.l5d.io/linkerd/proxy-init:v2.2.3
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:
@@ -386,7 +386,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.2
+        image: cr.l5d.io/linkerd/proxy-init:v2.2.3
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:

cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml

@@ -172,7 +172,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.2
+        image: cr.l5d.io/linkerd/proxy-init:v2.2.3
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources: