Tags: jroper/linkerd2-proxy
Tags
v2.141.0 This release fixes a caching issue in the outbound proxy's "ingress mode" that could cause the incorrect client to be used for requests. This caching has been fixed so that clients cannot be incorrectly reused across logical destinations.
v2.140.0 This release fixes two issues: 1. The inbound proxy could break non-meshed TLS connections when the initial ClientHello message was larger than 512 bytes or when the entire message was not received in the first data packet of the connection. TLS detection has been fixed to ensure that the entire message is preserved in these cases. 2. The admin server could emit warnings about HTTP detection failing in some innocuous situations, such as when the socket closes before a request is sent. These situations are now handled gracefully without logging warnings.
v2.139.0 This release includes several stability improvements, following initial feedback from the stable-2.10.0 release: * The control plane proxies no longer emit warnings about the resolution stream ending. This error was innocuous. * The proxy's logging infrastructure has been updated to avoid including client addresses in cached logging spans. Now, client addresses are preserved to be included in warning logs. This should reduce memory pressure in high-connection environments. * The proxy could infinitely retry failed requests to the destination controller when it returned a FailedPrecondition, indicating an unexpected cluster state. These errors are now handled gracefully.
v2.138.0 This release fixes an issue where non-HTTP streams could hang due to TLS buffering. Buffered data is now flushed more aggressively to prevent TCP streams from getting "stuck" in the proxy.
v2.137.0 This release fixes several stability issues identified in pre-release testing: * linkerd/linkerd2#5871 reported that the outbound proxy would not tear down client connections when communicating with a defunct endpoint (especially when communicating with headless services). Now, dispatch timeouts trigger serverside connection teardown so that clients have an opportunity to re-resolve the destination. * The ingress-mode outbound proxy did not properly share load balancers for connections targeting multiple endpoints in the same logical service. Now, when the l5d-dst-override header is set, the ingress-mode proxy correctly reuses load balancers independently of the original destination address. * The proxy's server could panic when `accept(2)` returned an error. This case is now handled gracefully and logged as a warning. * The inbound proxy included a redundant cache that has been removed. * Diagnostic logging has been improved, especially for TCP forwarding.
v2.136.0 The proxy would log 'Connection closed' messages at the INFO level in benign/innocuous situations where these logs create more concern than they provide actionable information. This release updates the proxy server to log I/O errors at the DEBUG level. Other errors, like TLS detetion timeouts, continue to be logged at INFO.
v2.135.0 This change removes the `tcp_connection_duration_ms` histogram from metrics export. This metric can end up being extremely high-cardinality without providing much value. Furthermore, an issue was fixed that prevented some modules from being able to update their log level dynamically.
v2.134.0 This release updates the proxy to use TLS version 1.3 for proxy-to-proxy communication. Support for TLS 1.2 remains enabled for compatibility with prior proxy versions. This release also includes an update to the `tracing-subscriber` dependency that may reduce latency and CPU usage.
v2.124.2 This release addresses linkerd/linkerd2#5298 by backporting fixes to origin-form uri handling (from 2a645b7) to the release/v2.124.0 tag. This fix will be released as part of a stable-2.9.4 patch release.
v2.133.0 This release changes the outbound proxy to fail all connections to the loopback interface. Such connections should never be proxied in normal operation. This helps to prevent against traffic loops. Additionally, the proxy's core dependencies have been updated and proxy-specific implementations of general features have been replaced by those in the `tower` crate.
PreviousNext