Kuma Versions Save

🐻 The multi-zone service mesh for containers, Kubernetes and VMs. Built with Envoy. CNCF Sandbox Project.

2.4.6

3 months ago

This is a patch release that every user should upgrade to.

Changelog

  • chore(deps): update iptables version (backport of #9200) #9214 @kumahq
  • chore(deps): upgrade envoy to v1.27.3 #9220 @lukidzi

2.5.3

3 months ago

This is a patch release that every user should upgrade to.

Changelog

  • chore(deps): security update #9287 @kumahq
  • chore(deps): update iptables version (backport of #9200) #9215 @kumahq
  • chore(deps): upgrade envoy to v1.28.1 #9219 @lukidzi
  • fix(gatewayapi): don't add HTTPRoute status if Kuma isn't the controller (backport of #9228) #9235 @kumahq

2.6.1

3 months ago

This is a patch release that every user should upgrade to.

Changelog

  • chore(deps): downgrade go-control-plane to v0.11.2-0.20231010133108-1dfbe83bcebc (backport of #9163) #9285 @kumahq
  • chore(deps): security update #9288 @kumahq
  • chore(deps): update iptables version (backport of #9200) #9216 @kumahq
  • chore(deps): upgrade envoy to v1.28.1 #9218 @lukidzi
  • chore(deps): use latest kumahq/kuma-gui #9174 #9194 @kumahq
  • fix(MeshGateway): fix MeshTCPRoute on MeshGateway (backport of #9167) #9180 @kumahq
  • fix(MeshTCPRoute): allow MeshGateway listener tags #9239 @michaelbeaumont
  • fix(defaults): change meshsubset to mesh for gateway's meshtimeout (backport of #9192) #9199 @kumahq
  • fix(gatewayapi): don't add HTTPRoute status if Kuma isn't the controller (backport of #9228) #9236 @kumahq
  • fix(kubernetes): create builtin CA once (backport of #9124) #9129 @kumahq
  • fix(kuma-cp): copy annotations when adding/update k8s object (backport of #9254) #9263 @kumahq
  • fix(kuma-cp): kds sync on upgrade doubles the number of policies (backport of #9259) #9273 @kumahq
  • fix(kuma-cp): prevent violating kubernetes label limit (backport of #9191) #9233 @kumahq

2.2.6

3 months ago

This is a patch release that every user should upgrade to.

Changelog

  • chore(deps): security update #8202 #8673 #8698 #9105 @kumahq
  • chore(deps): update go from 1.21.5 to 1.21.6 (backport of #8944) #8960 @kumahq
  • chore(deps): update go to 1.21.4 (backport of #8341) #8346 @kumahq
  • chore(deps): update go to 1.21.5 (backport of #8616) #8623 @kumahq
  • chore(deps): upgrade envoy to 1.25.11 #8163 @lukidzi
  • fix(MeshTrafficPermission): support permissive mtls (backport of #8171) #8178 @kumahq
  • fix(k8s): don't temporarily remove all AvailableServices on ZoneIngress Pod reconciliations (backport of #8301) #8305 @kumahq
  • fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services (backport of #8168) #8195 @kumahq

2.3.4

3 months ago

This is a patch release that every user should upgrade to.

Changelog

  • chore(deps): security update #8204 #8674 #8697 #9099 @kumahq
  • chore(deps): update go from 1.21.5 to 1.21.6 (backport of #8944) #8958 @kumahq
  • chore(deps): update go to 1.21.4 (backport of #8341) #8343 @kumahq
  • chore(deps): update go to 1.21.5 (backport of #8616) #8624 @kumahq
  • chore(deps): upgrade envoy to 1.26.6 #8162 @lukidzi
  • fix(MeshTrafficPermission): support permissive mtls (backport of #8171) #8175 @kumahq
  • fix(k8s): don't temporarily remove all AvailableServices on ZoneIngress Pod reconciliations (backport of #8301) #8306 @kumahq
  • fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services (backport of #8168) #8196 @kumahq
  • fix(kds): race condition on fill metadata (backport of #8872) #8997 @kumahq

2.4.5

3 months ago

This is a patch release that every user should upgrade to.

Changelog

  • chore(deps): bump the go-opentelemetry-io group with 3 updates (backport of #8347) #8352 @kumahq
  • chore(deps): security update #8672 #8699 #9100 @kumahq
  • chore(deps): update go from 1.21.5 to 1.21.6 (backport of #8944) #8961 @kumahq
  • chore(deps): update go to 1.21.4 (backport of #8341) #8345 @kumahq
  • chore(deps): update go to 1.21.5 (backport of #8616) #8626 @kumahq
  • fix(ZoneIngress): subset routing when tag is present on all subsets (backport of #8443) #8473 @kumahq
  • fix(k8s): don't temporarily remove all AvailableServices on ZoneIngress Pod reconciliations (backport of #8301) #8307 @kumahq
  • fix(kds): race condition on fill metadata (backport of #8872) #9000 @kumahq

2.5.2

3 months ago

This is a patch release that every user should upgrade to.

Changelog

  • chore(deps): security update #8678 #8694 #9103 @kumahq
  • chore(deps): update go from 1.21.5 to 1.21.6 (backport of #8944) #8962 @kumahq
  • chore(deps): update go to 1.21.5 (backport of #8616) #8627 @kumahq
  • fix(kds): race condition on fill metadata (backport of #8872) #8999 @kumahq
  • fix(kuma-cp): assign extensions in ZoneInsightSink constructor (backport of #8940) #8956 @kumahq
  • fix(vips): skip ignored listeners (backport of #8937) #8982 @kumahq

2.6.0

4 months ago

Get ready to elevate your Kuma experience with the release of Kuma 2.6.0, a jam-packed update that brings a myriad of exciting features to the table. From introducing a new MeshMetric policy to expanding policy targeting capabilities for MeshGateways, this minor release is packed with enhancements that will transform your network connectivity.

Check out the blog post for more details!

Upgrading

We strongly suggest upgrading to Kuma 2.6.0. Upgrading is straightforward through kumactl or Helm. Be sure to carefully read the Upgrade Guide before upgrading Kuma.

Notable Changes

  • πŸš€ Expanded Policy Targeting

    Kuma now allows a wider range of policies, including MeshCircuitBreaker, MeshFaultInjection, and MeshAccessLog, to target MeshGateways. This expands the granularity of policy enforcement and enables more fine-grained control over network traffic at the gateway level.

  • πŸš€ MeshMetric Policy for Comprehensive Traffic Metrics

    Kuma introduces the new MeshMetric policy, which provides a centralized and consistent approach to collecting traffic metrics across all data plane proxies in a mesh. This policy simplifies the management of metrics configurations and ensures that all traffic data is captured uniformly.

  • πŸš€ Streamlined MeshGateway Routing

    MeshHTTPRoute and MeshTCPRoute can now replace MeshGatewayRoute for configuring how a MeshGateway should process network traffic. This change provides greater flexibility and control over gateway routing rules.

  • πŸš€ Modernized Default Policies

    The default legacy policies automatically created during mesh creation have been replaced with new, targetRef style policies.

  • πŸš€ Enhanced Traffic Flow without mTLS

    When mTLS is not enabled for a mesh, traffic now flows by default, eliminating the need for a TrafficRoute policy.

  • πŸš€ Improved GUI Experience

    Kuma 2.6.0 introduces a number of enhancements to the graphical user interface (GUI), making it more user-friendly and intuitive.

  • πŸš€ Effortless Single-Zone to Multi-Zone Migration

    Kuma's zone federation allows you to effortlessly migrate from a single-zone deployment to a multi-zone configuration. This means you can start small with a single zone and gradually federate additional zones as your network grows, ensuring a smooth and controlled scaling process.

Changelog

  • chore(deps): bump actions/cache from 3.3.2 to 4.0.0 #8865 #8985 @dependabot
  • chore(deps): bump actions/checkout from 3.1.0 to 4.1.1 #8862 @dependabot
  • chore(deps): bump actions/download-artifact and actions/upload-artifact from 3 to 4 #8701 @michaelbeaumont
  • chore(deps): bump actions/github-script from 6 to 7 #8422 #8530 @dependabot
  • chore(deps): bump actions/setup-go from 4 to 5 #8586 @dependabot
  • chore(deps): bump actions/upload-artifact from 3.1.0 to 4.2.0 #8863 #8986 @dependabot
  • chore(deps): bump debian from fab22df to b16cef8 #8465 #8685 #8853 @dependabot
  • chore(deps): bump distroless/base-nossl-debian11 from 1ae8df5 to 61c9d7a #8659 @dependabot
  • chore(deps): bump distroless/static-debian11 from cdb2034 to 1e5b9bb #8657 @dependabot
  • chore(deps): bump github.com/bakito/go-log-logr-adapter from v0.0.2 to latest #8646 @michaelbeaumont
  • chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 #8693 @dependabot
  • chore(deps): bump github.com/containernetworking/plugins from 1.3.0 to 1.4.0 #8588 @dependabot
  • chore(deps): bump github.com/emicklei/go-restful/v3 from 3.11.0 to 3.11.2 #8791 @dependabot
  • chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.1 to 0.12.0 #8738 @dependabot
  • chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.2 to 1.0.4 #8857 #8971 @dependabot
  • chore(deps): bump github.com/evanphx/json-patch/v5 from 5.7.0 to 5.8.1 #8883 @dependabot
  • chore(deps): bump github.com/exaring/otelpgx from 0.5.2 to 0.5.3 #8975 @dependabot
  • chore(deps): bump github.com/go-logr/logr from 1.3.0 to 1.4.1 #8726 @dependabot
  • chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.16.2 to 4.17.0 #8724 @dependabot
  • chore(deps): bump github.com/google/uuid from 1.4.0 to 1.6.0 #8644 #9018 @dependabot
  • chore(deps): bump github.com/gruntwork-io/terratest from 0.46.7 to 0.46.11 #8589 #8790 #8968 @dependabot
  • chore(deps): bump github.com/jackc/pgx/v5 from 5.5.0 to 5.5.2 #8587 #8860 @dependabot
  • chore(deps): bump github.com/miekg/dns from 1.1.56 to 1.1.58 #8421 #8970 @dependabot
  • chore(deps): bump github.com/onsi/ginkgo/v2 from 2.13.1 to 2.15.0 #8520 #8859 #8973 @dependabot
  • chore(deps): bump github.com/onsi/gomega from 1.30.0 to 1.31.1 #8976 @dependabot
  • chore(deps): bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 #8728 @dependabot
  • chore(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 #8858 @dependabot
  • chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.6 to 2.1.7 #8974 @dependabot
  • chore(deps): bump github.com/testcontainers/testcontainers-go from 0.26.0 to 0.27.0 #8725 @dependabot
  • chore(deps): bump github/codeql-action from 2 to 3.23.1 #8662 #8864 #8984 @dependabot
  • chore(deps): bump golang from 1.21.4 to 1.21.6 #8616 #8944 @jakubdyszkiewicz,@michaelbeaumont
  • chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 #8665 @dependabot
  • chore(deps): bump golang.org/x/net from 0.18.0 to 0.20.0 #8519 #8789 @dependabot
  • chore(deps): bump golang.org/x/sys from 0.14.1-0.20231108175955-e4099bfacb8c to 0.16.0 #8521 #8774 @dependabot
  • chore(deps): bump google.golang.org/grpc from 1.59.0 to 1.61.0 #8645 #8686 #9017 @dependabot
  • chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 #8727 @dependabot
  • chore(deps): bump helm.sh/helm/v3 from 3.13.2 to 3.14.0 #8643 #8969 @dependabot
  • chore(deps): bump ossf/scorecard-action from 2.1.2 to 2.3.1 #8861 @dependabot
  • chore(deps): bump postgres from e213539 to 49c276f #8785 #8842 #8866 @dependabot
  • chore(deps): bump sigs.k8s.io/controller-runtime from 0.16.3 to 0.17.0 #8972 @dependabot
  • chore(deps): bump sigs.k8s.io/controller-tools from 0.13.0 to 0.14.0 #8856 @dependabot
  • chore(deps): bump the go-opentelemetry-io group with 3 updates #8420 @dependabot
  • chore(deps): bump the go-opentelemetry-io group with 5 updates #8967 @dependabot
  • chore(deps): bump the k8s-libs group from 0.28.3 to 0.28.4 #8419 @dependabot
  • chore(deps): bump the k8s-libs group with 1 update #8854 @dependabot
  • chore(deps): bump the k8s-libs group with 3 updates #8642 @dependabot
  • chore(deps): bump the k8s-libs group with 4 updates #8966 @dependabot
  • chore(deps): bump ubuntu from 2b7412e to 6042500 #8518 #8658 @dependabot
  • chore(deps): fix update insecure dependencies by setting bigger swap #8677 @slonka
  • chore(deps): more explicit image tag in envoy.Dockerfile #8482 @michaelbeaumont
  • chore(deps): security update #8696 #9104 @kumahq
  • chore(deps): tag ubuntu image more explicitly #8988 @michaelbeaumont
  • chore(deps): use latest kumahq/kuma-gui #8400 #8401 #8405 #8418 #8425 #8434 #8440 #8441 #8446 #8452 #8453 #8454 #8470 #8480 #8481 #8488 #8496 #8501 #8504 #8507 #8531 #8534 #8538 #8546 #8550 #8554 #8561 #8564 #8577 #8579 #8583 #8585 #8590 #8592 #8594 #8600 #8601 #8619 #8620 #8637 #8638 #8684 #8709 #8712 #8714 #8735 #8751 #8758 #8779 #8784 #8794 #8797 #8802 #8803 #8810 #8835 #8841 #8848 #8850 #8869 #8870 #8871 #8886 #8895 #8899 #8903 #8910 #8914 #8917 #8941 #8948 #8987 #9003 #9004 #9008 #9040 #9052 #9055 @kumahq
  • feat(ExternalService): make ExternalServices independent of TrafficPermission #8745 @lukidzi
  • feat(ExternalService): validate same value for service and address #8641 @jakubdyszkiewicz
  • feat(MeshAccessLog): select gateway listeners #8560 @michaelbeaumont
  • feat(MeshCircuitBreaker): select MeshGateway listeners #8562 @michaelbeaumont
  • feat(MeshFaultInjection): select MeshGateway listeners #8574 @michaelbeaumont
  • feat(MeshFaultInjection): support ExternalServices with ZoneEgress #8742 @lukidzi
  • feat(MeshHTTPRoute): add basic gRPC support #8752 @lukidzi
  • feat(MeshHTTPRoute): add hostToBackendHostname rewrite with MeshGateway #8772 @michaelbeaumont
  • feat(MeshHTTPRoute): basic MeshGateway support #8402 @michaelbeaumont
  • feat(MeshHTTPRoute): support hostnames with MeshGateway #8663 @michaelbeaumont
  • feat(MeshHealthCheck): select MeshGateway listeners #8570 @michaelbeaumont
  • feat(MeshLoadBalancingStrategy): add option to configure ActiveRequestBias #8553 @lukidzi
  • feat(MeshLoadBalancingStrategy): select MeshGateway listeners #8571 @michaelbeaumont
  • feat(MeshLoadBalancingStrategy): support kind MeshGateway #8889 @michaelbeaumont
  • feat(MeshMetric): add create conflicts to the metric #8894 @jakubdyszkiewicz
  • feat(MeshMetric): implement OpenTelemetry API for MeshMetric #8874 @Automaat
  • feat(MeshRateLimit): select MeshGateway listeners #8733 @michaelbeaumont
  • feat(MeshRateLimit): support ExternalServices with ZoneEgress #8743 @lukidzi
  • feat(MeshRetry): select MeshGateway listeners #8734 @michaelbeaumont
  • feat(MeshTCPRoute): add kafka protocol support #8781 @lukidzi
  • feat(MeshTCPRoute): support MeshGateway #8817 @michaelbeaumont
  • feat(MeshTimeout): add RequestHeadersTimeout option and configure MeshGateway #8896 @lukidzi
  • feat(MeshTimeout): select MeshGateway listeners #8573 @michaelbeaumont
  • feat(MeshTrace): select MeshGateway listeners #8595 @michaelbeaumont
  • feat(MeshTrace): support kind MeshGateway #8888 @michaelbeaumont
  • feat(api-server): add /_resources endpoint #8529 @lahabana
  • feat(api-server): add _rules api to MeshGateways #8540 @lahabana
  • feat(api-server): add dataplanes/_rules new inspect api #8442 @lahabana
  • feat(api-server): skip auth on specific endpoints #8458 @jakubdyszkiewicz
  • feat(bootstrap): support customizing corefile template from kuma-cp #8634 @jijiechen
  • feat(dataplane): ignored listeners with ignored labels in selector #8463 @jakubdyszkiewicz
  • feat(grafana): change fixed interval to rate interval variable #8713 @jakubdyszkiewicz
  • feat(gui): add disabled in the index.html and remove disabled page #8813 @lahabana
  • feat(injector): add ephemeral-storage resource request/limit for sidecars #8882 @jijiechen
  • feat(intercp): drop leader on cp shutdown #9046 @jakubdyszkiewicz
  • feat(k8s): show ZoneEgress zone as column #8913 @michaelbeaumont
  • feat(k8s): show ZoneIngress zone as column #8906 @michaelbeaumont
  • feat(kds): add zoneCP info in zone-insights #8720 @lahabana
  • feat(kds): log additional gRPC status codes at info level #8502 @michaelbeaumont
  • feat(kuma-cp): added comment and more explicit structure #8753 @lukidzi
  • feat(kuma-cp): create default target ref policies #8920 @lukidzi
  • feat(kuma-cp): deprecate standalone mode #8478 @jakubdyszkiewicz
  • feat(kuma-cp): disable the default creation of TrafficPermission and TrafficRoute #8964 @lukidzi
  • feat(kuma-cp): enable zone-originated MeshGateway #8919 @lobkovilya
  • feat(kuma-cp): enable zone-originated policies #8801 @lobkovilya
  • feat(kuma-cp): hash-suffix remove feature flag #8461 @lobkovilya
  • feat(kuma-cp): move protocol information to mesh context #8479 @lukidzi
  • feat(kuma-cp): require kuma.io/origin: zone label when creating zone-origination policies #8873 @lobkovilya
  • feat(kuma-cp): support cross-zone MeshTCPRoute #8509 @michaelbeaumont
  • feat(kuma-cp): support labels in ResourceMeta #8516 @lobkovilya
  • feat(kuma-cp): use labels for KDS sync #8762 @lobkovilya
  • feat(kuma-dp): add coredns logging flag #8485 @timothy-spencer
  • feat(kumactl): basic export command #8718 #9009 @jakubdyszkiewicz,@slonka
  • feat(kumactl): export in kube format #8747 @jakubdyszkiewicz
  • feat(kumactl): make k8s resources applicable on other clusters #8775 @jakubdyszkiewicz
  • feat(kumactl): more profiles in export #8780 @jakubdyszkiewicz
  • feat(mads): extend MADS service to use data from MeshMetric policy #8608 @slonka
  • feat(policy): Add MeshMetric api #8576 @Automaat
  • feat(policy): Implement dynamic DPP configuration based on MeshMetric policy #8793 @Automaat
  • feat(policy): add OpenTelemetry support for MeshMetric #8893 @Automaat
  • feat(policy): add MeshMetric policy e2e tests #8750 @Automaat
  • feat(policy): add possibility to target only gateways/sidecars #8868 @lukidzi
  • feat(policy): add tags to backends for support VirtualOutbounds #8744 @lukidzi
  • feat(policy): allow policies with from and to configuring egress #8739 @lukidzi
  • feat(policy): implement MeshMetric xds #8617 @Automaat
  • feat(policy): support MeshGateway listener matching #8551 @michaelbeaumont
  • feat(resources): add kuma.io/display-name label #8705 @jakubdyszkiewicz
  • feat(routes): handle routing if there are no TrafficRoutes #8614 @michaelbeaumont
  • feat(universal): add VIP_REFRESH_INTERVAL #9042 @nicoche
  • feat(vip): record generation metrics #9047 @nicoche
  • feat(xds): do not generate independent listener for vips, use additional_addresses instead #8796 @jijiechen
  • feat(zone): create Zone resources on zone cp automatically and generate ZoneInsights #8584 @jakubdyszkiewicz
  • fix(MeshCircuitBreaker): revert validator and check if config is empty #9028 @lukidzi
  • fix(MeshFaultInjection): handle listener protocol correctly #8815 @michaelbeaumont
  • fix(MeshHTTPRoute): generate better resources when using HTTPS #9038 @michaelbeaumont
  • fix(MeshHTTPRoute): make ordering more consistent #8715 @michaelbeaumont
  • fix(MeshHTTPRoute): use 302 as default status code on Universal to match Kubernetes #8409 @michaelbeaumont
  • fix(MeshHealthCheck): handle gateway listener protocol correctly #8812 @michaelbeaumont
  • fix(MeshRateLimit): remove validation of Mesh type and proxyTypes for… #9041 @lukidzi
  • fix(MeshRetry): handle gateway listener protocol correctly #8811 @michaelbeaumont
  • fix(ZoneEgress): rewrite host header on ExternalService requests #8403 @michaelbeaumont
  • fix(ZoneIngress): subset routing when tag is present on all subsets #8443 @michaelbeaumont
  • fix(ZoneWatch): stop watching Zone if ZoneInsight not found #8766 @michaelbeaumont
  • fix(api): secret in k8s format #8741 @jakubdyszkiewicz
  • fix(gateway): check if external service from context when no trafficpermission #8957 @lukidzi
  • fix(gateway): isolate routes to SNI matches #9054 @michaelbeaumont
  • fix(k8s): support injection with label kuma.io/sidecar-injection: 'true' #8464 @michaelbeaumont
  • fix(kds): avoid rare cases where onStreamClosed is called with no state #8703 @lahabana
  • fix(kds): fix deletion of previous zones in components #8867 @lahabana
  • fix(kds): fix resource sync #9014 @lukidzi
  • fix(kds): make status tracker work when there's no metadata #8711 @lahabana
  • fix(kds): race condition on fill metadata #8872 @jakubdyszkiewicz
  • fix(kuma-cp): assign extensions in ZoneInsightSink constructor #8940 @bartsmykla
  • fix(kuma-cp): don't remove Service if MeshGateway is absent for a while (i.e. due to renaming) #8450 @lobkovilya
  • fix(kuma-cp): don't run outbound proxy generator when there is no TrafficRoute #9082 @michaelbeaumont
  • fix(kuma-cp): enable hash-suffix only if Zone has KDS feature #8460 @lobkovilya
  • fix(kuma-cp): failure during the migration from non-federated to federated zone #8938 @lobkovilya
  • fix(kuma-cp): fix address check to not be loopback ipv4 and ipv6 #8490 @lukidzi
  • fix(kuma-cp): global upgrade #8890 @lobkovilya
  • fix(kuma-cp): make metadata retrieve method public #8918 @lukidzi
  • fix(kuma-cp): return sorted list of k8s secrets #9030 @lukidzi
  • fix(kuma-cp): set creationTime on KDS sync #8945 @lobkovilya
  • fix(kuma-cp): treat envoy admin errors as 4xx #8615 @lobkovilya
  • fix(kuma-cp): upgrade from Zone CP without labels to new one #8839 @lobkovilya
  • fix(kuma-cp): use column names in sql insert #8688 @lobkovilya
  • fix(kuma-cp): use pagination store for secret store #9033 @lukidzi
  • fix(metrics): fix kds metrics for simple watchdog #8428 @slonka
  • fix(metrics): unify zone name in metrics for k8s and universal #8435 @slonka
  • fix(policy): allow period in targetRef names #8754 @michaelbeaumont
  • fix(policy): first lexicographically wins, kind MeshGateway with tags over kind MeshGateway #8691 @michaelbeaumont
  • fix(policy): improve validator messages, allow string failoverthreshold #8929 @lahabana
  • fix(policy): support delegated gateways #8740 @michaelbeaumont
  • fix(vips): skip ignored listeners #8937 @jakubdyszkiewicz

2.5.1

5 months ago

This is a patch release that every user should upgrade to.

Changelog

  • feat(dataplane): ignored listeners with ignored labels in selector (backport of #8463) #8544 @kumahq
  • fix(ZoneIngress): subset routing when tag is present on all subsets (backport of #8443) #8475 @kumahq
  • fix(metrics): fix kds metrics for simple watchdog (backport of #8428) #8430 @kumahq

2.5.0

6 months ago

We’re excited to announce the release of Kuma 2.5, a new minor release packed with exciting features such as advanced locality-aware load balancing, auto-reachable services, and targetRef based policies becoming GA.

Upgrading

We strongly suggest upgrading to Kuma 2.5.0. Upgrading is easy through kumactl or Helm. Be sure to carefully read the Upgrade Guide before upgrading Kuma.

Notable features:

  • πŸš€ Advanced locality-aware load balancing inside and across zones helps you achieve cost savings and high reliability, even in the most constrained environments.
  • πŸš€ Reachable services can now be derived from MeshTrafficPermissions to get performance improvements for free.
  • πŸš€ Support for Gateway API v1 following Gateway APIs first GA release!
  • πŸš€ Delta KDS is now enabled by default. This greatly reduces the resource consumption of the Global CP / Zone CP protocol.
  • πŸš€ Many improvements to the GUI.
  • πŸš€ Upgrade to Envoy 1.28.

Read the blog post for details!

Changelog

  • chore(deps): bump actions/checkout from 3 to 4 #7639 @dependabot
  • chore(deps): bump actions/setup-node from 3 to 4 #8109 @dependabot
  • chore(deps): bump cirello.io/pglock from 1.14.0 to 1.14.1 #7914 @dependabot
  • chore(deps): bump debian from b91baba to 7d3e881 #7697 #7852 #8053 @dependabot
  • chore(deps): bump distroless/base-nossl-debian11 from 6579e1f to 1ae8df5 #7635 #7985 @dependabot
  • chore(deps): bump distroless/static-debian11 from 312a533 to cdb2034 #7636 #7987 @dependabot
  • chore(deps): bump envoy from 1.27.0 to 1.27.1 #8023 @lahabana
  • chore(deps): bump github.com/cilium/ebpf from 0.11.0 to 0.12.2 #8093 @dependabot
  • chore(deps): bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 #7712 @dependabot
  • chore(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible #8183 @dependabot
  • chore(deps): bump github.com/evanphx/json-patch/v5 from 5.6.0 to 5.7.0 #7786 @dependabot
  • chore(deps): bump github.com/exaring/otelpgx from 0.5.1 to 0.5.2 #7857 @dependabot
  • chore(deps): bump github.com/go-logr/logr from 1.2.4 to 1.3.0 #8184 @dependabot
  • chore(deps): bump github.com/google/uuid from 1.3.0 to 1.4.0 #7609 #8188 @dependabot
  • chore(deps): bump github.com/gruntwork-io/terratest from 0.43.13 to 0.46.1 #7792 #7993 #8090 @dependabot
  • chore(deps): bump github.com/miekg/dns from 1.1.55 to 1.1.56 #7785 @dependabot
  • chore(deps): bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.13.0 #7611 #7854 #7991 @dependabot
  • chore(deps): bump github.com/onsi/gomega from 1.27.10 to 1.29.0 #7917 #8094 #8185 @dependabot
  • chore(deps): bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 #7916 @dependabot
  • chore(deps): bump github.com/prometheus/client_model from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0 #7992 @dependabot
  • chore(deps): bump github.com/slok/go-http-metrics from 0.10.0 to 0.11.0 #8091 @dependabot
  • chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.17.0 #7989 @dependabot
  • chore(deps): bump github.com/testcontainers/testcontainers-go from 0.23.0 to 0.26.0 #7791 #7945 #8186 @dependabot
  • chore(deps): bump github.com/tonglil/opentelemetry-go-datadog-propagator from 0.1.0 to 0.1.1 #7641 @dependabot
  • chore(deps): bump go from 1.20.7 to 1.21.1 #7799 @lukidzi
  • chore(deps): bump go version to 1.21.3 #8001 @slonka
  • chore(deps): bump go.uber.org/zap from 1.25.0 to 1.26.0 #7789 @dependabot
  • chore(deps): bump golang.org/x/net from 0.14.0 to 0.16.0 #7699 #7988 @dependabot
  • chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #8034 @michaelbeaumont
  • chore(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0 #7642 @dependabot
  • chore(deps): bump golang.org/x/text from 0.12.0 to 0.13.0 #7640 @dependabot
  • chore(deps): bump golangci-lint from v1.53.3 to v1.54.1 #7837 @michaelbeaumont
  • chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.59.0 #7698 #7788 #7856 #8097 @dependabot
  • chore(deps): bump helm.sh/helm/v3 from 3.12.3 to 3.13.1 #7915 #8089 @dependabot
  • chore(deps): bump k8s.io/apiextensions-apiserver from v0.28.1 to v0.28.2 #7918 @michaelbeaumont
  • chore(deps): bump sigs.k8s.io/controller-runtime from 0.15.1 to 0.16.3 #7643 #7787 #8095 @dependabot
  • chore(deps): bump sigs.k8s.io/gateway-api from 0.8.0-rc1 to v1.0.0 #7644 #7781 #8150 @dependabot,@michaelbeaumont
  • chore(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 #8187 @dependabot
  • chore(deps): bump the go-opentelemetry-io group with 3 updates #7784 #7920 @dependabot
  • chore(deps): bump the go-opentelemetry-io group with 3 updates #8347 @slonka
  • chore(deps): bump the go-opentelemetry-io-contrib group with 2 updates #7613 @dependabot
  • chore(deps): bump the go-opentelemetry-io-otel group with 2 updates #7607 @dependabot
  • chore(deps): bump the k8s-libs group with 3 updates #7606 #7790 #8088 @dependabot
  • chore(deps): bump tibdex/github-app-token from 1.8.0 to 2.1.0 #7638 #7731 #7853 @dependabot
  • chore(deps): bump ubuntu from ec050c3 to 2b7412e #7637 #7986 #8052 @dependabot
  • chore(deps): downgrade testcontainers-go from v0.24.0 to v0.23.0 #7800 @jakubdyszkiewicz
  • chore(deps): update gateway-api #8270 @michaelbeaumont
  • chore(deps): update go to 1.21.4 #8341 @slonka
  • chore(deps): upgrade envoy to 1.28.0 #8158 @lukidzi
  • chore(deps): upgrade github.com/gruntwork-io/terratest to v0.43.13 #7706 @lukidzi
  • chore(deps): use latest kumahq/kuma-gui #7603 #7604 #7605 #7612 #7614 #7617 #7619 #7620 #7622 #7626 #7627 #7628 #7629 #7631 #7646 #7647 #7648 #7650 #7653 #7658 #7659 #7689 #7700 #7710 #7713 #7721 #7727 #7729 #7730 #7732 #7733 #7738 #7739 #7749 #7750 #7754 #7755 #7766 #7777 #7779 #7795 #7797 #7798 #7802 #7804 #7806 #7811 #7812 #7822 #7866 #7867 #7899 #7900 #7902 #7935 #7953 #7966 #7973 #7979 #7980 #7983 #7984 #7996 #7998 #8009 #8010 #8041 #8045 #8048 #8049 #8057 #8059 #8061 #8074 #8080 #8083 #8085 #8104 #8115 #8118 #8120 #8126 #8145 #8146 #8147 #8201 #8207 #8210 #8213 #8214 #8215 #8217 #8219 #8220 #8221 #8232 #8236 #8238 #8239 @kumahq
  • feat(ExternalService): add skip hostname verification for external services #7633 @alparslanavci
  • feat(MeshLoadBalancingStrategy): new locality aware api #8082 #8112 @Automaat,@lukidzi
  • feat(MeshProxyPatch): allow policy to target MeshGateway resources #8044 @bartsmykla
  • feat(api-server): add /_overview for all types that have overviews #7999 #8173 @lahabana
  • feat(api-server): add filtering on list external-services and dataplanes #7810 @lahabana
  • feat(api-server): added query parameter to filter services by name #8154 @lukidzi
  • feat(api-server): implement new Global Insight endpoint #7775 #7872 @Automaat
  • feat(api-server): new inspect api #8148 @lahabana
  • feat(docs): add generated openapi docs #7975 @lahabana
  • feat(dp-token): allow validator to define keys not scoped to a mesh #8169 @nicoche
  • feat(events): configurable buffers and predicates #7735 @jakubdyszkiewicz
  • feat(gui): adds storeType index.html variable #7965 @johncowen
  • feat(helm): add configurable service port for cp ingress #8263 @lahabana
  • feat(helm): add loadBalancerSourceRanges on global zone sync service #7978 @slavogiez
  • feat(helm): add possibility to run universal zone cp on kubernetes #7924 @Automaat
  • feat(helm): add service-account features to egress and ingress #7864 @lahabana
  • feat(helm): add support for controlplane deployment annotations #7959 @slavogiez
  • feat(helm): allow to define service accounts annotations #7724 @lukidzi
  • feat(helm): allow to disable tls-checksum generation #7955 @lukidzi
  • feat(helm): minReadySeconds for control plane #7931 @jakubdyszkiewicz
  • feat(insights): jitter zone insights upsert #7925 @jakubdyszkiewicz
  • feat(insights): metrics of reason and result #7752 @jakubdyszkiewicz
  • feat(insights): multiple workers #7778 @jakubdyszkiewicz
  • feat(kds): add metrics to event based watchdog #7651 @jakubdyszkiewicz
  • feat(kds): add user-agent with useful version info #7886 @lahabana
  • feat(kds): allow to delay full resync when ticker #7782 @lukidzi
  • feat(kds): allow to disable KDS SOTW grpc api #7961 @lukidzi
  • feat(kds): better error handling #7868 @jakubdyszkiewicz
  • feat(kds): compact subscriptions in insights #7962 @jakubdyszkiewicz
  • feat(kds): enable delta by default #8262 @lahabana
  • feat(kds): execute filters on envoy admin streams #7905 @jakubdyszkiewicz
  • feat(kds): experimental event based watchdog #7624 @jakubdyszkiewicz
  • feat(kds): introduce zone health checks #7821 @michaelbeaumont
  • feat(kds): pass resource keys to resourceStore for delta kds #7654 @lukidzi
  • feat(kds): resource sync metric #7794 @jakubdyszkiewicz
  • feat(kds): response backoff #7997 @jakubdyszkiewicz
  • feat(kds): use hash-suffix for KDS sync #7519 @lobkovilya
  • feat(kuma-cp): add HealthCheck unary endpoint #7815 @michaelbeaumont
  • feat(kuma-cp): add basedOnKuma in cp_info metric #8218 @lahabana
  • feat(kuma-cp): add locality aware implementation for egress #8233 @Automaat
  • feat(kuma-cp): add support for Gateway in MeshLoadBalancingStrategy #8309 @Automaat
  • feat(kuma-cp): allow to disable backend validation #7901 @lukidzi
  • feat(kuma-cp): make OpenTelemetry control plane tracing fully configurable #7936 @michaelbeaumont
  • feat(kuma-cp): move KDS hash suffix under a feature flag #8363 @lobkovilya
  • feat(kuma-dp): support setting Envoy's --component-log-level #8241 @michaelbeaumont
  • feat(kumactl): support new inspect api #8192 @lahabana
  • feat(rsa): add support for PKIX encoded pubkeys #8179 @nicoche
  • feat(store): add owner reference to the secrets #7770 @slonka
  • feat(store): added postgres index for owner columns #7625 @lukidzi
  • feat(store): allow ResourceStore to be customized #7743 @bartsmykla
  • feat(store): conflict metrics #7753 @jakubdyszkiewicz
  • feat(store): consistent gets for read replica #7923 @jakubdyszkiewicz
  • feat(store): support postgres reader replica #7763 @jakubdyszkiewicz
  • feat(tenants): add extension points for sharding #7502 @jakubdyszkiewicz
  • feat(transparent-proxy): add --exclude-outbound-ports-for-uids #7588 @lahabana
  • feat(transparent-proxy): allow to wait for xtables lock and retry when installing tproxy fails #7870 @bartsmykla
  • feat(xds): auto reachable services based on MeshTrafficPermission #8125 @jakubdyszkiewicz
  • fix(MeshFaultInjection): include tags negation in header matching #8043 @bartsmykla
  • fix(MeshGateway): ensure that duplicate listeners are not added when crossMesh is enabled on a listener and Routes specify hostnames #8156 @ttreptow
  • fix(MeshTrafficPermission): support permissive mtls #8171 @jakubdyszkiewicz
  • fix(TrafficRoute): use default value when choiceCount is 0 #7938 @lukidzi
  • fix(api-server): 400 error on admin operations on not yet connected stream #8039 @slonka
  • fix(api-server): always remove empty array in inspect gw api #8209 @lahabana
  • fix(api-server): avoid panic when there no insight for entity #8068 @lahabana
  • fix(api-server): dataplane overview pagination #7803 @jakubdyszkiewicz
  • fix(api-server): empty list instead of null #7780 @jakubdyszkiewicz
  • fix(api-server): improve HandleError to handle rest_errors.Error and fix Unauthenticated error handling #7818 @bartsmykla
  • fix(api-server): improve error handling and return status #7937 @lahabana
  • fix(core): better lifecycle when context is getting cancelled #8268 @lahabana
  • fix(envoy): remove apple flag #8314 @lukidzi
  • fix(gatewayapi): don't set RefNotPermitted for GAMMA routes #7771 @michaelbeaumont
  • fix(gatewayapi): don't set listener ResolvedRefs based on routes ResolvedRefs #7809 @michaelbeaumont
  • fix(helm): do not run webhooks on kube-system #8157 @lahabana
  • fix(helm): make CNI configmap and serviceaccount support custom namespace #7956 @slavogiez
  • fix(helm): use bitnami/kubectl image for helm hooks #7656 @lahabana
  • fix(insights): have subscription gc also work for zoneEgress insights #7954 @lahabana
  • fix(insights): improve ZoneInsight subscription management #8153 @michaelbeaumont
  • fix(k8s): add namespace to deleteObjectIfExist in pod controller #8063 @slonka
  • fix(k8s): don't temporarily remove all AvailableServices on ZoneIngress Pod reconciliations #8301 @slonka
  • fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services #8168 @bartsmykla
  • fix(kds): call CloseSend and exit a goroutine when sync fails to start #7869 @lukidzi
  • fix(kds): delta delivery metric #7793 @jakubdyszkiewicz
  • fix(kds): don't inc KdsGenerationErrors when context canceled #7913 @michaelbeaumont
  • fix(kds): experimental watchdog concurrent map write #7630 @jakubdyszkiewicz
  • fix(kds): set error when KDS clients fails in goroutine #7725 @lukidzi
  • fix(kds): try returning unavailable on app context finish #8050 @slonka
  • fix(kds): use deprecated method in otel #8366 @slonka
  • fix(kuma-cni): support port exclusion for UIDs #8319 @lobkovilya
  • fix(kuma-cp): change affinityTag field in MeshLoadBalancingStrategy t… #8294 @Automaat
  • fix(kuma-cp): cleanup interval should be calculated based on "expirationTime" for hashCache #8065 @lobkovilya
  • fix(kuma-cp): don't add postStart hook to builtin gateway even if waitForDataplaneReady: true #7939 @lobkovilya
  • fix(kuma-cp): don't configure RBAC rules on Prometheus listener #8172 @lobkovilya
  • fix(kuma-cp): fix Zone{In|E}gress sync when no mesh #8129 @bartsmykla
  • fix(kuma-cp): meta validation compatible with Kubernetes naming rules #7976 @lobkovilya
  • fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes #7909 @lobkovilya
  • fix(kuma-cp): take proper context for resync #7805 @lukidzi
  • fix(kuma-cp): use GetConsistent store when validating default mesh resources #7949 @lukidzi
  • fix(kuma-cp): using policy name with "." causes hash to be inserted in the wrong place on the zone #8240 @lobkovilya
  • fix(kuma-dp): advise user to check pod events when data plane rejected by webhooks #8257 @jijiechen
  • fix(kuma-dp): fix build #8282 @Automaat
  • fix(kuma-dp): fix incorrect dataplane name due to mangled env vars #8199 @bartsmykla
  • fix(kumactl): add --mesh parameter to inspect <policy> #7696 @lahabana
  • fix(observability): add annotation to make observability while running CNI work #8330 @slonka
  • fix(policy): improve targetRef name and tags validation #7972 @alparslanavci
  • fix(store): fix passing logs to pglock #8040 @slonka
  • fix(store): use customizer for postgres ro pool #7769 @jakubdyszkiewicz
  • fix(transparent-proxy): fix --wait flags for iptables legacy #8364 @bartsmykla
  • fix(xds): backwards compatibility on access logs paths #7662 @jakubdyszkiewicz
  • fix(xds): use stable hashes for outbound cluster names #8081 @michaelbeaumont
  • perf(insights): fetch dp overviews once #7652 @jakubdyszkiewicz
  • perf(insights): fetch external services once #7796 @lukidzi
  • perf(insights): refresh only changed #7737 @jakubdyszkiewicz
  • perf(store): postgres transactions #7995 @jakubdyszkiewicz
  • perf(xds): put the Gatewaylisteners in the Proxy #8051 @lahabana