v1.2.0-rc.1

Notable changes

• OSM certificate provider is now configured using the new CRD, MeshRootCertificate
  • Custom trust domains (i.e. certificate CommonNames) are now supported
• The authentication token used to configure the Hashicorp Vault certificate provider can now be passed in using a secretRef
• Along with root certificate rotation we support custom trust domains, as well as rotating to new trust domains with no downtime.
• Envoy has been updated to v1.22 and uses the envoyproxy/envoy-distroless image instead of the deprecated envoyproxy/envoy-alpine image.
  • This means that kubectl exec -c envoy ... -- sh will no longer work for the Envoy sidecar
• Added support for Kubernetes 1.23 and 1.24
• Rate limiting: Added capability to perform local per-instance rate limiting of TCP connections and HTTP requests.
• Statefulsets and headless services have been fixed and work as expected

Breaking Changes

• The following metrics no longer use the label common_name, due to the fact that the common name's trust domain can rotate. Instead 2 new labels, proxy_uuid and identity have been added.
  • osm_proxy_response_send_success_count
  • osm_proxy_response_send_error_count
  • osm_proxy_xds_request_count
• Support for Kubernetes 1.20 and 1.21 has been dropped
• Multi-arch installation supported by the Chart Helm by customizing the affinity and nodeSelector fields

CRD Updates

No CRD changes between tags v1.1.1 and v1.2.0-rc.1

Changelog

• update release versions and image digests (#4886) d40f9b8 (steeling)
• rename test files to include _test suffix (#4882) 3a7c924 (steeling)
• Modify release notes (#4865) 84e2bf1 (Keith Mattix II)
• Plumb trust domain through to helm chart (#4877) c0264ec (Keith Mattix II)
• Add GitHub Action to require size and kind labels (#4876) 4da737e (Thomas Stringer)
• ref: use binary flag to enable use of MeshRootCertificate (#4871) aa1abf1 (Jackie Elliott)
• test((benchmark): add Golang benchmark test cases c7036e7 (Allen Leigh)
• small cert related changes. (#4870) fa17242 (steeling)
• Refactor Envoy bootstrap from BuildFromConfig() to Builder{}.Build() + health probe tests (#4858) 3bf989a (steeling)
• Abstract webhook logic to prepare for rotating certificates (#4833) c8d7559 (steeling)
• Ignore CODEOWNERS and OWNERS for CI (#4867) 2b7c781 (Thomas Stringer)
• self-nominate steeling as a maintainer (#4824) 854edda (steeling)
• Add @keithmattix as a codeowner maintainer (#4861) 9d5e442 (Thomas Stringer)
• Don't allow envoy sidecar privilege escalation (#4860) 80de3bb (Keith Mattix II)
• Fix MRC status (#4856) bb007fd (Keith Mattix II)
• validator: validate HTTP rate limiting status code (#4857) 4a1b993 (Shashank Ram)
• release-notes: add rate limiting to v1.2 notes (#4859) 9222555 (Shashank Ram)
• Separate bootstrap building logic into the envoy/bootstrap package (#4838) 226ee64 (steeling)
• Customize affinity, nodeSelectors and tolerations in values.yaml (#4842) 45b19ea (Shalier Xia)
• fix: update configClient call and logging (#4854) d970b24 (Jackie Elliott)
• feat(certs): get Vault token from Secret (#4753) baff85f (Jackie Elliott)
• Fix flaky e2e tests (#4844) 4a3d57d (Keith Mattix II)
• rate-limiting: add HTTP local rate limiting capability (#4846) f3966a3 (Shashank Ram)
• install: use friendlier defaults for egress and permissive mode (#4837) 8fd236e (steeling)
• Update Kubernetes version testing (#4836) 831f023 (Thomas Stringer)
• envoy: update to latest version and fix typed proto usage (#4834) 08c646b (Shashank Ram)
• fix(certs): update checkAndRotate to use current durations (#4800) 28b3238 (Jackie Elliott)
• cli: Shows message for no meshes (#4738) 905005f (mudit singh)
• Fix failing e2es with GinkgoRecover and resolve CVE-2022-28948 (#4832) 8da8732 (Jackie Elliott)
• cert: Use MRCs on startup (#4816) 30885c9 (Keith Mattix II)
• start with a clean slate for future multicluster work (#4805) e3700d6 (steeling)
• feat(certs): use State for MeshRootCertificate status (#4812) 46b7165 (schristoff)
• Leverage trust domain in issuing certs; remove TD from identity (#4782) 5ab34a3 (steeling)
• doc: use lower case for "cloud native" (#4792) 8b1c3cc (mudit singh)
• rate-limit: implement connection level local rate limiting (#4823) ac27868 (Shashank Ram)
• cli: Improved error handling (#4808) 327b5b0 (mudit singh)
• envoy/cds: add nil check for ConnectionSettings (#4821) a5b3716 (Shashank Ram)
• ref(contributors): update contributor roles and requirements (#4776) 5ee33f3 (Shalier Xia)
• envoy|catalog: use TrafficMatch to build inbound filter config (#4814) 3f72969 (Shashank Ram)
• Resolve CVE-2022-31030 by upgrading containerd to v1.5.13 (#4813) c90f07a (Thomas Stringer)
• (k8s/informers): use InformerCollection for other clients (#4804) 241e8ae (Keith Mattix II)
• rate-limiting: plumb config into inbound policies (#4807) 7046cf2 (Shashank Ram)
• Set (empty) trust domain on listener builder (#4802) 3061b05 (steeling)
• rate-limiting: add spec to UpstreamTrafficSetting CRD (#4803) 76ff532 (Shashank Ram)
• k8s/informers: centralize informers to simplify code (#4801) 47c06ab (Keith Mattix II)
• docs(README): move support to a community support file (#4785) 914e8f3 (Zach Rhoads)
• Remove unused code paths and switch the policy object to a policy builder (#4791) eb281e5 (steeling)
• apis: add local rate limiting to UpstreamTrafficSetting (#4796) 1e73ba3 (Shashank Ram)
• docs(contrib): add security.md (#4722) 0ba8d42 (schristoff)
• Increase retry timeout cert-manager (#4795) 412fbcb (Niranjan Shankar)
• ref(*): remove CN from *envoy.Proxy (#4773) c318b68 (steeling)
• demo: Add scripts for Kafka demo (#4770) d3596c0 (Keith Mattix II)
• ref(certs): mrc ca handling (#4781) 6045fb7 (Keith Mattix II)
• feat(metrics): add osm_reconciliation_total metric (#4788) 7de17d7 (Jon Huhn)
• fix(e2e): add openshift SCC zookeeper (#4787) dd5ec72 (Niranjan Shankar)
• feat(certs): add trust domain to mesh root certificate (#4767) c24012f (steeling)
• Decouple certificate common name from proxy registry (#4763) 436e24f (steeling)
• test(*): add retry policy e2e (#4600) 28ed531 (Shalier Xia)
• ref(ci): update actions/setup-go to v3 db71482 (Jon Huhn)
• ref(ci): run tests/scenarios as unit tests 6c38317 (Jon Huhn)
• Decouple certificate common name from various components (#4759) ae53c47 (steeling)
• Fix CVE-2022-28948 by patching gopkg.in/yaml.v3 (#4771) 324a1a7 (Thomas Stringer)
• ref(e2e): move k8s version test config to CI 5ec3e75 (Jon Huhn)
• ref(ci): remove PR/push distinction in e2e tests f73b9af (Jon Huhn)
• feat(certs): create MRC on install (#4747) 7ddd4d1 (Jackie Elliott)
• remove unused code paths (#4758) 27ab5a7 (steeling)
• Add root path ingress e2e test (#4756) 15f0a18 (Niranjan Shankar)
• fix(vulnerability): patch runc security issue by upgrading to v1.1.2 (#4760) 21d3e60 (Thomas Stringer)
• contrib: add guideline for design docs (#4757) a241cba (Shashank Ram)
• feat(cert): cert rotation state management (#4743) ecc4e67 (steeling)
• Feature/statefulsets: fix protocol detection for ports (#4752) 9b11d76 (Keith Mattix II)
• remove head of line blocking from workerpool (#4648) d1ef8b1 (steeling)
• cli/verifier: add control plane health probe checks (#4751) dd42d04 (Shashank Ram)
• (feat/statefulsets): MeshService API changes for Headless Services (#4704) 0af42df (Keith Mattix II)
• fix(demo): remove unneeded port-forward for bookstore (#4740) 3395da5 (Jon Huhn)
• ref(certs): use secretKeyRef for Vault token in MRC (#4736) 855776a (Jackie Elliott)
• cli/verifier: use pod status conditions for readiness check (#4749) 9ffa3d3 (Shashank Ram)
• ref(certs): unexport methods on cert manager (#4742) 21bc67d (steeling)
• cli/verifier: add ingress verification (#4715) ec9b9f9 (Keith Mattix II)
• feat(certificate): create a compat layer for provider generation (#4718) 00bc363 (steeling)
• feat(envoy): allow websocket upgrade for all http connections (#4741) 96e0879 (Martin Andreas Ullrich)
• cli/verifier: add control-plane-health command (#4734) fc638c3 (Shashank Ram)
• feat(api/MeshRootCertificate): add informer client (#4721) 5a885ef (Jackie Elliott)
• chore(release): update chart version (#4730) 102baf5 (Jon Huhn)
• cli/verifier: add cluster check for egress (#4729) 53a2238 (Shashank Ram)
• fix(demo): default USE_PRIVATE_REGISTRY to false (#4727) 6a5e689 (Jon Huhn)
• refactor(cmd/cli): update uninstall cmd (#4664) 76d177f (Shalier Xia)
• egress: add cli verifier and rename traffic match (#4724) a6d71d2 (Shashank Ram)
• policy: Updates retry policy API (#4627) 1278055 (Shalier Xia)
• ref(cert): update Manager to support mult clients (#4705) a8330dc (Jackie Elliott)
• cli/verifier: add stubs for egress checks (#4719) 87b709d (Shashank Ram)
• cli/verifier: verify presence of secrets (#4714) 55bdb17 (Shashank Ram)
• Fix e2e_client_server_connectivity_test noInstall (#4708) 1e7d22a (Niranjan Shankar)
• refactor k8s root ca secret access (#4657) bd5247b (steeling)
• ref(certs): refactor k8s root ca secret access (#4657) 896fb7a (steeling)
• crds: add MeshRootCertificate CRD (#4687) 19eb161 (Jackie Elliott)
• docs(contrib): recommend not rewriting git history (#4709) 876579b (Jon Huhn)
• bugreport: collect more ingress & control plane info (#4703) 13802e8 (Shashank Ram)
• pkg/injector: Enable podIP proxying via meshconfig setting (#4701) 0ad92c9 (Keith Mattix II)
• add the last applied annotation to allow using kubectl apply on the mesh config (#4673) 63715c0 (steeling)
• feat(injector): add list of ignored network interfaces (#4700) f922b5c (Jon Huhn)
• cli/verifier: check presence of service cluster (#4695) ddd10e2 (Shashank Ram)
• config/meshConfig: New localProxyMode field (#4686) 86690a3 (Keith Mattix II)
• feat(certificates) rework cert manager, integrate rotor (#4645) d485366 (schristoff)
• fix(certificates): fail politely in tresor's cert issuer (#4696) ce2a0e5 (schristoff)
• cli/verifier: derive appProtocol from service (#4691) 77b4dd8 (Shashank Ram)
• Support pod recreation for the kubectl debug command. (#4688) 0a1653e (steeling)
• cli/verifier: verify basic HTTP route configs (#4682) 24a494b (Shashank Ram)
• Revert "config/meshConfig: New localProxyMode field (#4671)" (#4684) bc3ff99 (Keith Mattix II)
• config/meshConfig: New localProxyMode field (#4671) (#4680) a8a3dbb (steeling)
• apis: add MeshRootCertificate API types (#4677) 455887d (Jackie Elliott)
• ref(injector): load bootstrap SDS configuration from filesystem (#4635) 0163584 (Jackie Elliott)
• fix(doc): update release guide (#4661) 4f204dd (Jon Huhn)
• feat(metrics): add osm_events_queued metric (#4670) 4cd4f6a (Jon Huhn)
• config/meshConfig: New localProxyMode field (#4671) 966405b (Keith Mattix II)
• IngressBackend UpstreamTrafficSetting validations (#4640) a54b404 (Keith Mattix II)
• expose the version information via prometheus (#4679) 1faa13a (steeling)
• fix: upgrade vulnerable library crypto (#4676) 1550133 (allenlsy)
• ref(test): migrate e2e app to Fortio (#4631) cf1395e (allenlsy)
• cli/verifier: verify destination for connectivity config (#4672) f04a613 (Shashank Ram)
• chore(release): Update Chart.yaml to use release v1.1 (#4662) 2f36980 (schristoff)
• envoy/verifier: add source config checker (#4658) 82492c0 (Shashank Ram)
• update prometheus v2.34.0 (#4666) f021edd (Niranjan Shankar)
• tests: move fakes to own sub-package (#4667) 5c966ac (Shashank Ram)
• Reword the README note about OSM's production readiness. (#4660) 46781f2 (Thomas Stringer)
• cli/verifier: add Envoy config dump parser (#4646) a918abf (Shashank Ram)
• ref(smi): remove unused kubeClient from smi client (#4643) 95a898f (Deepesh Pathak)
• cli: add verify command (#4639) 9be0fa4 (Shashank Ram)
• Add --overwrite to kubectl label cmd in osm bootstrap (#4641) af50d17 (Niranjan Shankar)
• fix(ci): fix lint (#4629) 9ca8e41 (Jon Huhn)