v2.150.0

These release features a change to gateway proxies to support endpoint
targets. Previously, only logical services were supported as gateway
targets.

The proxy now sets an informational header, `l5d-proxy-error`, when the
proxy encounters an internal error. This allows proxy-generated error
responses to be distinguished from application-generated error
responses.

HTTP/2 keepalives are no longer configured by the proxy. This resolves
conflicts with some Go gRPC clients & servers (as described in
linkerd/linkerd2#5988).

Finally, the `*_tcp_accept_errors` metrics now include a `target_addr`
label. This improves diagnostics, especially for TLS detection timeouts.

v2.149.0

This release replaces the `request_errors_total` metric with new metrics:
`inbound_http_errors_total` and `outbound_http_errors_total`. This
release also introduces new metrics--`inbound_tcp_accept_errors_total`
and `outbound_tcp_accept_errors_total`--that count proxy errors
encountered before a protocol can be detected.

v2.148.0

This release updates a wide variety of the proxy's dependencies. No
user-facing changes are expected.

v2.147.0

This release fixes a problem with the HTTP body buffering that was added
to support gRPC retries. The proxy would buffer all request bodies,
regardless of size or retry configurations. This has been fixed so that
only requests with a retry configuration are buffered (and only when
their bodies are less than 64KB).

This release also fixes an issue with the outbound ingress-mode proxy
where forwarded HTTP traffic could fail to detect when the target pod
was deleted, retrying connections forever. This only impacted traffic
forwarded directly to pod IPs (and not load balanced services). This has
been fixed temporarily by adding a failfast layer that triggers 502
errors when the endpoint has disconected, which cause the connection to
be torn down so that the ingress may reconnect. A more robust solution
will replace this in the future.

Furthermore, core dependencies have been updated including: futures,
hyper, socket2, and tokio.

v2.146.0

This release adds support for retrying messages with small (<64KB)
bodies. Now when retry policies specify retries for POST messages, etc,
the proxy will properly buffer and resubmit these messages bodies when
responses are classified as a failure.

This release also modifies the proxy's identity subsystem to instantiate
a client on-demand so client connections are not retained continually.
The identity client is typically used only once per day, so there's no
need to maintain these resources continually.

v2.145.0

* Controller clients of components with more than one replica could fail
  to drive all connections to completion. This could result in timeouts
  showing up in logs, but would not have prevented proxies from
  communicating with controllers. linkerd/linkerd2#6146
* linkerd#992 made the `l5d-dst-override` header required
  for ingress-mode proxies. This behavior has been reverted so that
  requests without this header are forwarded to their original
  destination.
* OpenCensus trace spans for HTTP requests no longer include query
  parameters.

v2.144.0

This release adds an `l5d-client-id` header on mutually-authenticated
inbound requests so that applications can discover the client's
identity. This header is omitted on requests from unauthenticated
connections.

v1.43.0

This release simplifies internals so that endpoint-forwarding logic is
completely distinct from handling of load balanced services.

The ingress-mode outbound proxy has been simplified to *require* the
`l5d-dst-override` header and to fail non-HTTP communication. This
ensures that the ingress-mode proxy does not unexpectedly revert to
insecure communication.

Finally, a regression was recently introduced that caused all proxy logs
to be output with ANSI control characters. Logs are now output in
plaintext by default

v2.141.1

This release cherry-picks several fixes back to to the v2.141.0 proxy
release (which was released in linkerd stable-2.10.1):

- Fixes a task leak that could be triggered when clients disconnect when
  a service is in failfast.
- Improves admin server protocol detection so that error messages are
  more descriptive about the underlying problem.
- Fixes panics found in fuzz testing. These panics were extremely
  unlikely to occur in practice and would require very specific
  configuration overrides to be triggered.

v2.142.0

This release primarily improves protocol detection error messages in the
admin server so that logs clearly indicate when the client expected a
different TLS server identity than that of the running proxy.

A number of internal improvements have been made, especially eliminating
some potential runtime panics detected by oss-fuzz. It is not expected
that these panics could be triggered in typical cluster configurations.