Tags: linkerd/linkerd2
Tags
build(deps): bump kubert from 0.21.2 to 0.22.0 (#13399) This change introduces a timeout into the kubernetes lease logic so that patches may not get stuck indefinitely. This change also modifies our Cargo.tomls so that kubert and its related dependencies (kube and k8s-openapi) are defined at the workspace-level.
build(deps): bump kubert from 0.21.2 to 0.22.0 (#13399) This change introduces a timeout into the kubernetes lease logic so that patches may not get stuck indefinitely. This change also modifies our Cargo.tomls so that kubert and its related dependencies (kube and k8s-openapi) are defined at the workspace-level.
fix(destination): avoid panic on missing managed fields timestamp (#1… …3378) We received a report of a panic: runtime error: invalid memory address or nil pointer dereference panic({0x1edb860?, 0x37a6050?} /usr/local/go/src/runtime/panic.go:785 +0x132 github.com/linkerd/linkerd2/controller/api/destination/watcher.latestUpdated({0xc0006b2d80?, 0xc00051a540?, 0xc0008fa008?}) /linkerd-build/vendor/github.com/linkerd/linkerd2/controller/api/destination/watcher/endpoints_watcher.go:1612 +0x125 github.com/linkerd/linkerd2/controller/api/destination/watcher.(*OpaquePortsWatcher).updateService(0xc0007d5480, {0x21fd160?, 0xc000d71688?}, {0x21fd160, 0xc000d71688}) /linkerd-build/vendor/github.com/linkerd/linkerd2/controller/api/destination/watcher/opaque_ports_watcher.go:141 +0x68 The `latestUpdated` function does not properly handle the case where a atime is omitted from a `ManagedFieldsEntry`. type ManagedFieldsEntry struct { // Time is the timestamp of when the ManagedFields entry was added. The // timestamp will also be updated if a field is added, the manager // changes any of the owned fields value or removes a field. The // timestamp does not update when a field is removed from the entry // because another manager took it over. // +optional Time *Time `json:"time,omitempty" protobuf:"bytes,4,opt,name=time"` This change adds a check to avoid the nil dereference.
build(deps): bump openssl-src from 300.4.0+3.4.0 to 300.4.1+3.4.0 (#1… …3338) Bumps [openssl-src](https://github.com/alexcrichton/openssl-src-rs) from 300.4.0+3.4.0 to 300.4.1+3.4.0. - [Release notes](https://github.com/alexcrichton/openssl-src-rs/releases) - [Commits](https://github.com/alexcrichton/openssl-src-rs/commits) --- updated-dependencies: - dependency-name: openssl-src dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Oliver Gould <ver@buoyant.io>
Update outbound policy watches when routes change parents (#13315) Fixes #13280 When an xRoute resource is updated to change its parent_refs, the route may attach to new parents or become unattached to parents it was previously attached to. However, in the policy-controller, the xRoute update will only be sent to the parents on the new version of the route resource and any existing watches on parents that the route was unattached from will not be updated. Unfortunately, the kube-rs watch interface only provides the new version of a resource when it is updated, and not the previous state. This means that we cannot know which parents the route might have been unattached to when it was updated. Therefore, we send the route update to all NamespaceIndexes and each one removes that route from each parent if that parent is not currently an accepted parent of the route. We also add integration tests for this behavior. This issue applies to all xRoutes: policy HttpRoute, gateway HttpRoute, GrpcRoute, TlsRoute, and TcpRoute. Signed-off-by: Alex Leong <alex@buoyant.io>
feat(policy): add HTTPLocalRateLimitPolicy (#13231) This adds the HTTPLocalRateLimitPolicy CRD, which is indexed by the policy controller and exposed by the inbound API. - 81ebc08: HTTPLocalRateLimitPolicy CRD and related changes - 01afd23: policy controller central changes - b098925: rust tests updates and additions - 2f45597: golden files updates. ## Testing In a cluster with linkerd and emojivoto injected, deploy these resources: ```yaml apiVersion: policy.linkerd.io/v1beta3 kind: Server metadata: namespace: emojivoto name: web-http spec: # permissive policy, so we don't require setting up authz accessPolicy: all-unauthenticated podSelector: matchLabels: app: web-svc port: http proxyProtocol: HTTP/1 ``` ```yaml apiVersion: policy.linkerd.io/v1alpha1 kind: HTTPLocalRateLimitPolicy metadata: namespace: emojivoto name: web-rl spec: targetRef: group: policy.linkerd.io kind: Server name: web-http total: requestsPerSecond: 100 identity: requestsPerSecond: 20 overrides: - requestsPerSecond: 10 clientRefs: - kind: ServiceAccount namespace: emojivoto name: default ``` ```console $ kubectl -n emojivoto get httplocalratelimitpolicies.policy.linkerd.io NAME TARGET_KIND TARGET_NAME TOTAL_RPS IDENTITY_RPS web-rl Server web-http 100 20 ``` Then see how the RL policy is exposed at the inbound API under the protocol section, with `linkerd dg policy -n emojivoto po/web-85f6fb8564-jp67d 8080`: ```yaml ... protocol: Kind: Http1: local_rate_limit: identity: requestsPerSecond: 20 metadata: Kind: Resource: group: policy.linkerd.io kind: httplocalratelimitpolicy name: web-rl overrides: - clients: identities: - name: default.emojivoto.serviceaccount.identity.linkerd.cluster.local limit: requestsPerSecond: 10 total: requestsPerSecond: 100 ... ```
proxy: v2.261.0 (#13278) Release notes: https://github.com/linkerd/linkerd2-proxy/releases/tag/release/v2.261.0 Signed-off-by: l5d-bot <l5d-bot@users.noreply.github.com> Co-authored-by: l5d-bot <l5d-bot@users.noreply.github.com>
build(deps): bump google-github-actions/auth from 2.1.6 to 2.1.7 (#13249 ) Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.6 to 2.1.7. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](google-github-actions/auth@8254fb7...6fc4af4) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
PreviousNext