Osm Versions Save

Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

v1.2.4

1 year ago

Notable Changes

Deprecate support for TLS v1.0 and TLS v1.1 for the Envoy proxy TLSMaxProtocolVersion option
Reduce minimum TLS version from v1.3 to v1.2 for the osm controller, verifier, and health servers
Support robust CRD conversion patching on upgrade to ensure reconciliation is controlled by the newer OSM version

Deprecation Notes

CRD Updates

No CRD changes between tags v1.2.3 and v1.2.4

Changelog

chore(release): bump version to v1.2.4 and update release notes (#5330) 82651008921837b2f21113e4604a807c3f68a97c (Jackie Elliott)
build(deps): bump github.com/docker/docker (#5315) (#5323) e15600804f60722195d192c7c9ae6b5bb0503032 (Jackie Elliott)
Update addEventHandler return values eda8335f6a91872b7e93686cbe850c1e85ba050f (jaellio)
build(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.1 (#5283) 2d9d8a90c9404136822570ffb7d87567ab0e6630 (dependabot[bot])
[backport] build(deps): bump github.com/hashicorp/vault from 1.12.0 to 1.12.5 (#5305) 00248280d2c0a2923398a0d6a0e22120a79aa230 (Jackie Elliott)
[backport] build(deps): bump github.com/containerd/containerd from 1.6.6 to 1.6.18 (#5286) (#5304) 60285f9fc0fb0870af8cc3d88fd795c93cacd1ae (Jackie Elliott)
[backport] Add more robust CRD conversion patching (#5303) c55b7db880f6b400c8983e900e44938e1574fa19 (Jackie Elliott)
fix(): remove support for incompatible tls versions for envoy TLSMaxProtocolVersion (#5298) 00fd7e30a57acb18d0000b73f16ec529f087586b (Whitney Griffith)
fix(): reduce minimum tls version for osm controller, verifier, health (#5292) 1a9b0678322aa708144e0e63c1b62dd776648185 (Whitney Griffith)

v1.1.4

1 year ago

Notable Changes

Deprecate support for TLS v1.0 and TLS v1.1 for the Envoy proxy TLSMaxProtocolVersion option
Reduce minimum TLS version from v1.3 to v1.2 for the osm controller, verifier, and health servers
Support robust CRD conversion patching on upgrade to ensure reconciliation is controlled by the newer OSM version

Deprecation Notes

CRD Updates

No CRD changes between tags v1.1.3 and v1.1.4

Changelog

chore(release): bump version to v1.1.4 and update release notes (#5329) 5cc73b89c89e4f8ca9cbccf442e371abec9cae6e (Jackie Elliott)
[backport] build(deps): bump github.com/docker/docker (#5315) (#5325) f978473a6eef0d671337726d730752d54983ef30 (Jackie Elliott)
fix(): remove support for incompatible tls versions for envoy TLSMaxProtocolVersion (#5298) 784d680ee3414c49324387dd5f14bef159d8c59a (Whitney Griffith)
fix(): reduce minimum tls version for osm controller, verifier, health (#5292) 0582092e5edc91a5c85688b68416f6693be633d1 (Whitney Griffith)
Add more robust CRD conversion patching 8c6cdfd26858e9422a240a10a51d6783a19cd016 (Keith Mattix II)
Add shalier, keithmattix, and steeling as codeowners for v1.1 (#5319) 01f7fff9c8fceac11af33950693a140c3e101cb9 (Jackie Elliott)

v1.2.3

1 year ago

Notable Changes

Deprecation Notes

CRD Updates

No CRD changes between tags v1.2.2 and v1.2.3

Changelog

Release v1.2.3 368fda991a7bc78cb7a863be5d3e6d9c4e889af7 (Keith Mattix II)
bump version of go to 1.19 (#4972) 8ed34f8ba62eb5cb11add9b58eb010cf2870b40c (steeling)
Upgrade cert-manager to v1.10.0 (#5230) 56679ed53b4f1a1860d9d2a4ca62193fd59108f1 (Keith Mattix II)
Add @shalier as CODEOWNERS (#5264) 7eefefe9067dfa0877dfdeb4e430713492a243ac (Keith Mattix II)
Add @shalier as a codeowner maintainer (#5261) 9559491892fa2213d62461965c8bff5721df0761 (Thomas Stringer)
Move snehachhabria and draychev to emeritus status (#5260) 9f8e06a9554bc4a8e521039513a534603f3e0289 (Thomas Stringer)
Allow all headless services, not just those backed by Statefulsets with subdomains (#5250) 25c8e53d1803e6d4c6ed9f6e5b6ddb3e600cb891 (Keith Mattix II)

v1.2.2

1 year ago

Notable Changes

Deprecation Notes

CRD Updates

No CRD changes between tags v1.2.1 and v1.2.2

Changelog

chore(release): Bump Chart.yaml to 1.2.2 (#5215) 6815b679c1b182bace25abc16de5afb494777283 (Shalier Xia)
Fixes CVE-2022-27664 and CVE-2022-32149 d503b998e3351c06e2a416bb160f84f6b0b4d4dd (Shalier Xia)
[backport] cherry-pick 05e31c4 into release-v1.2 817a340dab25bf02c7bb39275e9aa586dac13f10 (Sanya Kochhar)
[backport] cherry-pick 988003b into release-v1.2 b26adc14d68397860fabeedfff84ccfe119085e8 (Sanya Kochhar)
[backport] cherry-pick 9858c75 into release-v1.2 dd698bbef9c550bc73d77a5d44470f9821d2f778 (Keith Mattix II)
[backport] cherry-pick a016262 to release-v1.2 71e6847904033421ba2c7a69339b978957879083 (steeling)

v1.1.3

1 year ago

Notable Changes

Deprecation Notes

CRD Updates

No CRD changes between tags v1.1.2 and v1.1.3

Changelog

chore(release) bump Chart.yaml version to 1.1.3 (#5216) 5397803cc97a25638a5d405b160c0ce400e512c7 (Shalier Xia)
Fixes CVE-2022-27664 and CVE-2022-32149 40901f79d80c2f12d5fa103ca8180e5065a5446a (Shalier Xia)
[backport] cherry-pick 05e31c4 into release-v1.1 32fb680beea0429691d9b96600ecac59b54ce747 (Sanya Kochhar)
[backport] cherry-pick 988003b into release-v1.1 8f6cf95417ded2c7e41a3b75c90e0ede36633e0a (Sanya Kochhar)
[backport] cherry-pick 9858c75 into release-v1.1 170b3334a75acf7bfe2157a509135c05f6c11971 (Keith Mattix II)
[backport] cherry-pick a016262 to release-v1.1 a54a55c6271515aee12cbee3bec514f028021515 (steeling)

v1.2.1

1 year ago

Notable Changes

Deprecation Notes

CRD Updates

No CRD changes between tags v1.2.0 and v1.2.1

Changelog

bump Chart.yaml version to v1.2.1 (#5082) 76db0c6d81c67b1434bd248f0463ca43870862cb (Shalier Xia)
[backport] cherry-pick 68e99ebb to release-v1.2 (#5069) 0b6a18f080d3e29922332464ffa81a8457f847e1 (Shalier Xia)
[backport] cherry-pick commit 15e46da to release-v1.2 (#5063) d2175d3bbba39630fdecc31f155c2184a37ffa5b (Niranjan Shankar)

v1.1.2

1 year ago

Notable Changes

Remove crdconversion webhooks to fix circular dependency bug

Deprecation Notes

CRD Updates

No CRD changes between tags v1.1.1 and v1.1.2

Changelog

bump Chart.yaml to v1.1.2 (#5083) cc859d5562709c0c52379dab267b4bfc425790f4 (Shalier Xia)
[backport] cherry-pick 68e99eb to release-v1.1 (#5071) 2bb5ad55f27176aa920d545dcc3b26b20a3a0a41 (Niranjan Shankar)
[backport] add root path ingress e2e test (#4756) (#4765) fff4b0cc7c2d159cc21c0169eca73093fb81a3ec (Niranjan Shankar)

v1.2.0

1 year ago

Notable changes

Custom trust domains (i.e. certificate CommonNames) are now supported
The authentication token used to configure the Hashicorp Vault certificate provider can now be passed in using a secretRef
Envoy has been updated to v1.22 and uses the envoyproxy/envoy-distroless image instead of the deprecated envoyproxy/envoy-alpine image.
- This means that kubectl exec -c envoy ... -- sh will no longer work for the Envoy sidecar
Added support for Kubernetes 1.23 and 1.24
Rate limiting: Added capability to perform local per-instance rate limiting of TCP connections and HTTP requests.
Statefulsets and headless services have been fixed and work as expected

Breaking Changes

The following metrics no longer use the label common_name, due to the fact that the common name's trust domain can rotate. Instead 2 new labels, proxy_uuid and identity have been added.
- osm_proxy_response_send_success_count
- osm_proxy_response_send_error_count
- osm_proxy_xds_request_count
Support for Kubernetes 1.20 and 1.21 has been dropped
Multi-arch installation supported by the Chart Helm by customizing the affinity and nodeSelector fields
Root service in a TrafficSplit configuration must have a selector matching the pods backing the leaf services. The legacy behavior where a root service without a selector matching the pods backing the leaf services is able to split traffic, has been removed.

CRD Updates

No CRD changes between tags v1.1.1 and v1.2.0

Changelog

chore(release): cut v1.2.0 (#4927) 893ff8722a65bbfc2afa6e416bdca88c58393d00 (Jon Huhn)
chore(release): add missing cherry picks (#4932) 4c832d1e49c20006abc818f859365d0488c77890 (Jon Huhn)
fix: update v1.2 release notes (#4916) (#4918) 929c114e5c52aa57a2c93df4af49b117b2cca110 (Jackie Elliott)
demo/scripts: fix bookstore app label and container name (#4910) 9749020d71c5ed301ceca89210f4f2c8bdcfc5f5 (Shashank Ram)
[backport] traffic-split: update root service selector & targetPort usage (#4902) (#4905) f5f360388c397bd26fee17782380f59a95d324c6 (Shashank Ram)
Fix Contour helm chart (#4901) 951d403b34e12cab5a3c520be41ea324ef54f360 (Keith Mattix II)
update release versions and image digests (#4886) d40f9b8cea95f6910487334ebc9544795a1e090d (steeling)
rename test files to include _test suffix (#4882) 3a7c924c9ebdedf9513220fc5d1c527b933f71b9 (steeling)
Modify release notes (#4865) 84e2bf17186140cf1e2301171910ac9cad83267e (Keith Mattix II)
Plumb trust domain through to helm chart (#4877) c0264ecc33d23cddc6993ef352e7ddc7a34b75f5 (Keith Mattix II)
Add GitHub Action to require size and kind labels (#4876) 4da737e20b5567f7b537c2822fd91290bd014503 (Thomas Stringer)
ref: use binary flag to enable use of MeshRootCertificate (#4871) aa1abf19209feba546fcce471e856ec5f90144a6 (Jackie Elliott)
test((benchmark): add Golang benchmark test cases c7036e71106957a15e8ac12d29e87ff8a9bc0baa (Allen Leigh)
small cert related changes. (#4870) fa17242a34b39d87b6555774795563aede46efaa (steeling)
Refactor Envoy bootstrap from BuildFromConfig() to Builder{}.Build() + health probe tests (#4858) 3bf989adef0b3dd617edcec3d1c56ec73d56ba0c (steeling)
Abstract webhook logic to prepare for rotating certificates (#4833) c8d7559b8303f8df8da52dcf8d050600d7826a3e (steeling)
Ignore CODEOWNERS and OWNERS for CI (#4867) 2b7c78113c0b42dea9846bacf4e4c542ce6eedfd (Thomas Stringer)
self-nominate steeling as a maintainer (#4824) 854edda7e20135649396e4fdf2b2ca730ade58e0 (steeling)
Add @keithmattix as a codeowner maintainer (#4861) 9d5e44242ca0171b1cf8347ec70bec112ead76ef (Thomas Stringer)
Don't allow envoy sidecar privilege escalation (#4860) 80de3bb5c1108ffc1964380dbe2573eef2af2497 (Keith Mattix II)
Fix MRC status (#4856) bb007fd301d570f2cbb4ea89f394025036913dfb (Keith Mattix II)
validator: validate HTTP rate limiting status code (#4857) 4a1b9938659cd0bbaa3870041e9084797ad9f841 (Shashank Ram)
release-notes: add rate limiting to v1.2 notes (#4859) 9222555e1c001fd432348f718ac2c5ca23f03264 (Shashank Ram)
Separate bootstrap building logic into the envoy/bootstrap package (#4838) 226ee6499208fb2871f77660208b778661db9652 (steeling)
Customize affinity, nodeSelectors and tolerations in values.yaml (#4842) 45b19ead429a3863d9921f72628d96ea9b5bec14 (Shalier Xia)
fix: update configClient call and logging (#4854) d970b249aa4a5ba4624a4bd9f4e2374a4ed0bab2 (Jackie Elliott)
feat(certs): get Vault token from Secret (#4753) baff85f1ff1bde9212a1a9addede3a25b90fe72c (Jackie Elliott)
Fix flaky e2e tests (#4844) 4a3d57da27b75dba7124c8e7af769f21dbf59641 (Keith Mattix II)
rate-limiting: add HTTP local rate limiting capability (#4846) f3966a3cfd1886056ad873110de3f9bbbe265f4b (Shashank Ram)
install: use friendlier defaults for egress and permissive mode (#4837) 8fd236e8e104279b4d951a32720e06f4257fd80a (steeling)
Update Kubernetes version testing (#4836) 831f0234acba4f16dc650546c22072794ab55712 (Thomas Stringer)
envoy: update to latest version and fix typed proto usage (#4834) 08c646bec77a56c466ca6a942bcad7aff717769e (Shashank Ram)
fix(certs): update checkAndRotate to use current durations (#4800) 28b32389bb8d792d2ac2f8ab8433b647a4a0926d (Jackie Elliott)
cli: Shows message for no meshes (#4738) 905005f779f0c372a3b018a3f693b6d124e81432 (mudit singh)
Fix failing e2es with GinkgoRecover and resolve CVE-2022-28948 (#4832) 8da8732bced2812f5c3ac72cfd672b64ddb1ce05 (Jackie Elliott)
cert: Use MRCs on startup (#4816) 30885c986a29bfcedb21c18425a1bf37357aa502 (Keith Mattix II)
start with a clean slate for future multicluster work (#4805) e3700d67751a98d09f3a40f45e5dfedc8e2a933f (steeling)
feat(certs): use State for MeshRootCertificate status (#4812) 46b71656841e52ba0a5a8763244f5bd8c916f55b (schristoff)
Leverage trust domain in issuing certs; remove TD from identity (#4782) 5ab34a3b7e9577265f86dadf12fc790775891ad8 (steeling)
doc: use lower case for "cloud native" (#4792) 8b1c3cceabf6134e0e13f410e92da7faaf46574f (mudit singh)
rate-limit: implement connection level local rate limiting (#4823) ac2786869c7fac7f21cdf82166be9f02de86ab38 (Shashank Ram)
cli: Improved error handling (#4808) 327b5b088a99ba6a096cc15089c2b4fe9bab59de (mudit singh)
envoy/cds: add nil check for ConnectionSettings (#4821) a5b37165c9d70dc9edfdd5eaa74f850beff3aaa6 (Shashank Ram)
ref(contributors): update contributor roles and requirements (#4776) 5ee33f31e01148f4b4c418d9f5fee75c46be578d (Shalier Xia)
envoy|catalog: use TrafficMatch to build inbound filter config (#4814) 3f7296990c2665098958c38afc87be952efe8db2 (Shashank Ram)
Resolve CVE-2022-31030 by upgrading containerd to v1.5.13 (#4813) c90f07ae5a192ac0b86f86a3d35aa14c347c1625 (Thomas Stringer)
(k8s/informers): use InformerCollection for other clients (#4804) 241e8ae27e8269bd2e51c98a135d748b30921ddb (Keith Mattix II)
rate-limiting: plumb config into inbound policies (#4807) 7046cf28d0b1e94214f07b9cd9350ecc6c0a05de (Shashank Ram)
Set (empty) trust domain on listener builder (#4802) 3061b05634c365d9cbc936f835549d7b7b615886 (steeling)
rate-limiting: add spec to UpstreamTrafficSetting CRD (#4803) 76ff532c76278aea9e8bec71801585e01bf3db04 (Shashank Ram)
k8s/informers: centralize informers to simplify code (#4801) 47c06ab0dad371ba51f1319b2127b552158cf456 (Keith Mattix II)
docs(README): move support to a community support file (#4785) 914e8f3d8cbbe316b3ea1211411c84e3afa33f5b (Zach Rhoads)
Remove unused code paths and switch the policy object to a policy builder (#4791) eb281e55d615eff5ff20f3729010ca965f56398a (steeling)
apis: add local rate limiting to UpstreamTrafficSetting (#4796) 1e73ba341d94b8a8118def5d332118a2a74855af (Shashank Ram)
docs(contrib): add security.md (#4722) 0ba8d42debafebebda9dc22978af53018290f0ca (schristoff)
Increase retry timeout cert-manager (#4795) 412fbcbe4fbae7d7ae6c140441bd5ad16dc69bbe (Niranjan Shankar)
ref(*): remove CN from *envoy.Proxy (#4773) c318b686e13bd63836f2e2abb92a9994b56558fa (steeling)
demo: Add scripts for Kafka demo (#4770) d3596c0c7bee331609ccdac7714c3dcdea4b5a81 (Keith Mattix II)
ref(certs): mrc ca handling (#4781) 6045fb7111f4a5ed614e34152b78ae1ddb4f8788 (Keith Mattix II)
feat(metrics): add osm_reconciliation_total metric (#4788) 7de17d7797b25e5bf5116e64aee017dd8e61c2da (Jon Huhn)
fix(e2e): add openshift SCC zookeeper (#4787) dd5ec72e5662d1c7a0dc54e2e42843b86ce381d6 (Niranjan Shankar)
feat(certs): add trust domain to mesh root certificate (#4767) c24012f334a5c506d9b9a737eb383d981a253abc (steeling)
Decouple certificate common name from proxy registry (#4763) 436e24f52e7e32e81feb34b408e614036f636e48 (steeling)
test(*): add retry policy e2e (#4600) 28ed5319897c3c5fefc34ab876517bebc11f8372 (Shalier Xia)
ref(ci): update actions/setup-go to v3 db7148222b62b837162370cde9839c185f46b594 (Jon Huhn)
ref(ci): run tests/scenarios as unit tests 6c38317181deec375be0d852cb64d4b5ee489b1e (Jon Huhn)
Decouple certificate common name from various components (#4759) ae53c47217409e8f9e75cd45e851a809b1e71bad (steeling)
Fix CVE-2022-28948 by patching gopkg.in/yaml.v3 (#4771) 324a1a72a222f3db8e3889d7eda7b1c9829bb4f8 (Thomas Stringer)
ref(e2e): move k8s version test config to CI 5ec3e75a13d43f6ac34c32f7bfd8036326707540 (Jon Huhn)
ref(ci): remove PR/push distinction in e2e tests f73b9af0698d0e71a99bffce1240384e9465a455 (Jon Huhn)
feat(certs): create MRC on install (#4747) 7ddd4d185e3715973860bed60eaf66b38ed68b29 (Jackie Elliott)
remove unused code paths (#4758) 27ab5a7266dd3ef24b60b104b6a576a57aff2f30 (steeling)
Add root path ingress e2e test (#4756) 15f0a18f5646b9ebedd61b8b637dc09ef3a61539 (Niranjan Shankar)
fix(vulnerability): patch runc security issue by upgrading to v1.1.2 (#4760) 21d3e60f04c11525d07f83d52e0cb244ec47b3dd (Thomas Stringer)
contrib: add guideline for design docs (#4757) a241cba677f1298c050aec03d30fcac9214830c0 (Shashank Ram)
feat(cert): cert rotation state management (#4743) ecc4e6713cc87a51a28bf2a1ed3d74a34b9c9d54 (steeling)
Feature/statefulsets: fix protocol detection for ports (#4752) 9b11d76e5583a74e56d07c57786cbe56bf9953c2 (Keith Mattix II)
remove head of line blocking from workerpool (#4648) d1ef8b13e09724cb0e501b9560904b29732f3618 (steeling)
cli/verifier: add control plane health probe checks (#4751) dd42d04b2dd1140975370ce1adb97aeb4ed989a4 (Shashank Ram)
(feat/statefulsets): MeshService API changes for Headless Services (#4704) 0af42df42c136e34639eb926c589ae0a5b0065ba (Keith Mattix II)
fix(demo): remove unneeded port-forward for bookstore (#4740) 3395da58f49df2ec50481c791a50345d322f51a3 (Jon Huhn)
ref(certs): use secretKeyRef for Vault token in MRC (#4736) 855776a1cd8aa448c92a9bec6dedac1069be3bc7 (Jackie Elliott)
cli/verifier: use pod status conditions for readiness check (#4749) 9ffa3d38c4c261df57bbbb3233f64f54bf68c9c2 (Shashank Ram)
ref(certs): unexport methods on cert manager (#4742) 21bc67dc31f4f8d235b32981708c6e0d2f7069a6 (steeling)
cli/verifier: add ingress verification (#4715) ec9b9f92379fe972a9e1363bcfbea5dfa6df7d6b (Keith Mattix II)
feat(certificate): create a compat layer for provider generation (#4718) 00bc36338dd1fea4171af5d87dbf6ed5a8a0229f (steeling)
feat(envoy): allow websocket upgrade for all http connections (#4741) 96e0879ee3246a08d9c8c3500a31342a9c6b1751 (Martin Andreas Ullrich)
cli/verifier: add control-plane-health command (#4734) fc638c334b607cc9f3987e75812c964df208e2f7 (Shashank Ram)
feat(api/MeshRootCertificate): add informer client (#4721) 5a885ef60653fb4c987c847b33ece14bad56dfba (Jackie Elliott)
chore(release): update chart version (#4730) 102baf57c514003f1a45d31d4b3dc78bdcbed602 (Jon Huhn)
cli/verifier: add cluster check for egress (#4729) 53a22380667a95ccf79fb75aff8a2c46e5f1b2a5 (Shashank Ram)
fix(demo): default USE_PRIVATE_REGISTRY to false (#4727) 6a5e6892480351a1cfa21fb0bca1098e6e2ddc80 (Jon Huhn)
refactor(cmd/cli): update uninstall cmd (#4664) 76d177f5b47ac1838f21c3307fbb838cbd64f564 (Shalier Xia)
egress: add cli verifier and rename traffic match (#4724) a6d71d2e7e6ac5c1703fadf0e29bbf575ad016bb (Shashank Ram)
policy: Updates retry policy API (#4627) 12780558e3e9b412b431143e2ac6e400dc119897 (Shalier Xia)
ref(cert): update Manager to support mult clients (#4705) a8330dca33af3e1c5fac326dbd6409322a613034 (Jackie Elliott)
cli/verifier: add stubs for egress checks (#4719) 87b709d4316cc6f83677653bbaa929f506df5447 (Shashank Ram)
cli/verifier: verify presence of secrets (#4714) 55bdb17d93d9a527db3bc51c3a64cc3da281aba2 (Shashank Ram)
Fix e2e_client_server_connectivity_test noInstall (#4708) 1e7d22a41f291c8b89fddcbcd5934dc416d0f937 (Niranjan Shankar)
refactor k8s root ca secret access (#4657) bd5247bcb4bb297f061f883ac0a8ea8e63632d00 (steeling)
ref(certs): refactor k8s root ca secret access (#4657) 896fb7af871e7dbf74d4bd27863ef0336105913a (steeling)
crds: add MeshRootCertificate CRD (#4687) 19eb1618a0904275d0d2052d96b296e78d39357a (Jackie Elliott)
docs(contrib): recommend not rewriting git history (#4709) 876579b9a779f83259fd042ba8cc89f919297330 (Jon Huhn)
bugreport: collect more ingress & control plane info (#4703) 13802e81d5af6c217ec95fb834370895dfcd9aff (Shashank Ram)
pkg/injector: Enable podIP proxying via meshconfig setting (#4701) 0ad92c9ae9a617617e99312f87bd2779715bfcf2 (Keith Mattix II)
add the last applied annotation to allow using kubectl apply on the mesh config (#4673) 63715c04ea86c7d03805cf5fdae961e7b7ce4e82 (steeling)
feat(injector): add list of ignored network interfaces (#4700) f922b5c21d2e657b85b5130fcc9fd14b22b8af0b (Jon Huhn)
cli/verifier: check presence of service cluster (#4695) ddd10e2c819d55133b9f2153d3032fa19e65dbb1 (Shashank Ram)
config/meshConfig: New localProxyMode field (#4686) 86690a3cece5a3e41c488980970cc622f77fa50c (Keith Mattix II)
feat(certificates) rework cert manager, integrate rotor (#4645) d4853664a5ee34dfaf7367b54822b307bd19d99e (schristoff)
fix(certificates): fail politely in tresor's cert issuer (#4696) ce2a0e5fccd294baae78cdf77640a3fe38d9b5a3 (schristoff)
cli/verifier: derive appProtocol from service (#4691) 77b4dd80462176224fb540330f9d77d164801d06 (Shashank Ram)
Support pod recreation for the kubectl debug command. (#4688) 0a1653e13222749591f93a5742d0cea6e3309ea5 (steeling)
cli/verifier: verify basic HTTP route configs (#4682) 24a494b2b5921ef63bb3dbe593ced37ffe36dfd2 (Shashank Ram)
Revert "config/meshConfig: New localProxyMode field (#4671)" (#4684) bc3ff995b616c77e7d21099d5339185665d92585 (Keith Mattix II)
config/meshConfig: New localProxyMode field (#4671) (#4680) a8a3dbbe45d80760103b9cb56420adfea753fb6b (steeling)
apis: add MeshRootCertificate API types (#4677) 455887d015e861f7ffaff6b82db2d621bcce1cb9 (Jackie Elliott)
ref(injector): load bootstrap SDS configuration from filesystem (#4635) 0163584e3d3d7bb730f3429e8967e03fbf7e5f50 (Jackie Elliott)
fix(doc): update release guide (#4661) 4f204ddb5ba2c074c9879a93457d6a66aed40a6c (Jon Huhn)
feat(metrics): add osm_events_queued metric (#4670) 4cd4f6af382548538fa451974e2a12c5d817cb4d (Jon Huhn)
config/meshConfig: New localProxyMode field (#4671) 966405b29161ee650d01a8c0ebaa5fe4ed324b79 (Keith Mattix II)
IngressBackend UpstreamTrafficSetting validations (#4640) a54b4048ca2778cbcf6700ed241086ceacb69fd6 (Keith Mattix II)
expose the version information via prometheus (#4679) 1faa13a769825b71cdd41632b36876b32b4688b8 (steeling)
fix: upgrade vulnerable library crypto (#4676) 1550133d9b5c2e7dcea61750f09a96796449ecd0 (allenlsy)
ref(test): migrate e2e app to Fortio (#4631) cf1395e3cf5a6f89a87c4b8eb3e4e8149b83fc5b (allenlsy)
cli/verifier: verify destination for connectivity config (#4672) f04a61397a005fb85f74179166fdb41d6d522e7c (Shashank Ram)
chore(release): Update Chart.yaml to use release v1.1 (#4662) 2f36980f85279ea8ddec80a261fe7bf76743648a (schristoff)
envoy/verifier: add source config checker (#4658) 82492c0b50cb701df50a401018c1cae363208765 (Shashank Ram)
update prometheus v2.34.0 (#4666) f021edde5d81b293f5318bb50bfc841f73381120 (Niranjan Shankar)
tests: move fakes to own sub-package (#4667) 5c966acb814130ca9334714ec4fa75351c4c41e1 (Shashank Ram)
Reword the README note about OSM's production readiness. (#4660) 46781f2bec6db4a6864ecc9ab9c2f0a532f96b40 (Thomas Stringer)
cli/verifier: add Envoy config dump parser (#4646) a918abff99a2106f913302db2fc8705651d2a72d (Shashank Ram)
ref(smi): remove unused kubeClient from smi client (#4643) 95a898f14608224361f4d6eefbeaa463e3f852c5 (Deepesh Pathak)
cli: add verify command (#4639) 9be0fa424290be851f70abe78a633925ae49fb00 (Shashank Ram)
Add --overwrite to kubectl label cmd in osm bootstrap (#4641) af50d175a650e2047b2f59f4604fc88923e1cb60 (Niranjan Shankar)
fix(ci): fix lint (#4629) 9ca8e413895937b8543547b777153a5474f1a2dd (Jon Huhn)

v1.2.0-rc.1

1 year ago

Notable changes

OSM certificate provider is now configured using the new CRD, MeshRootCertificate
- Custom trust domains (i.e. certificate CommonNames) are now supported
The authentication token used to configure the Hashicorp Vault certificate provider can now be passed in using a secretRef
Along with root certificate rotation we support custom trust domains, as well as rotating to new trust domains with no downtime.
Envoy has been updated to v1.22 and uses the envoyproxy/envoy-distroless image instead of the deprecated envoyproxy/envoy-alpine image.
- This means that kubectl exec -c envoy ... -- sh will no longer work for the Envoy sidecar
Added support for Kubernetes 1.23 and 1.24
Rate limiting: Added capability to perform local per-instance rate limiting of TCP connections and HTTP requests.
Statefulsets and headless services have been fixed and work as expected

Breaking Changes

The following metrics no longer use the label common_name, due to the fact that the common name's trust domain can rotate. Instead 2 new labels, proxy_uuid and identity have been added.
- osm_proxy_response_send_success_count
- osm_proxy_response_send_error_count
- osm_proxy_xds_request_count
Support for Kubernetes 1.20 and 1.21 has been dropped
Multi-arch installation supported by the Chart Helm by customizing the affinity and nodeSelector fields

CRD Updates

No CRD changes between tags v1.1.1 and v1.2.0-rc.1

Changelog

update release versions and image digests (#4886) d40f9b8cea95f6910487334ebc9544795a1e090d (steeling)
rename test files to include _test suffix (#4882) 3a7c924c9ebdedf9513220fc5d1c527b933f71b9 (steeling)
Modify release notes (#4865) 84e2bf17186140cf1e2301171910ac9cad83267e (Keith Mattix II)
Plumb trust domain through to helm chart (#4877) c0264ecc33d23cddc6993ef352e7ddc7a34b75f5 (Keith Mattix II)
Add GitHub Action to require size and kind labels (#4876) 4da737e20b5567f7b537c2822fd91290bd014503 (Thomas Stringer)
ref: use binary flag to enable use of MeshRootCertificate (#4871) aa1abf19209feba546fcce471e856ec5f90144a6 (Jackie Elliott)
test((benchmark): add Golang benchmark test cases c7036e71106957a15e8ac12d29e87ff8a9bc0baa (Allen Leigh)
small cert related changes. (#4870) fa17242a34b39d87b6555774795563aede46efaa (steeling)
Refactor Envoy bootstrap from BuildFromConfig() to Builder{}.Build() + health probe tests (#4858) 3bf989adef0b3dd617edcec3d1c56ec73d56ba0c (steeling)
Abstract webhook logic to prepare for rotating certificates (#4833) c8d7559b8303f8df8da52dcf8d050600d7826a3e (steeling)
Ignore CODEOWNERS and OWNERS for CI (#4867) 2b7c78113c0b42dea9846bacf4e4c542ce6eedfd (Thomas Stringer)
self-nominate steeling as a maintainer (#4824) 854edda7e20135649396e4fdf2b2ca730ade58e0 (steeling)
Add @keithmattix as a codeowner maintainer (#4861) 9d5e44242ca0171b1cf8347ec70bec112ead76ef (Thomas Stringer)
Don't allow envoy sidecar privilege escalation (#4860) 80de3bb5c1108ffc1964380dbe2573eef2af2497 (Keith Mattix II)
Fix MRC status (#4856) bb007fd301d570f2cbb4ea89f394025036913dfb (Keith Mattix II)
validator: validate HTTP rate limiting status code (#4857) 4a1b9938659cd0bbaa3870041e9084797ad9f841 (Shashank Ram)
release-notes: add rate limiting to v1.2 notes (#4859) 9222555e1c001fd432348f718ac2c5ca23f03264 (Shashank Ram)
Separate bootstrap building logic into the envoy/bootstrap package (#4838) 226ee6499208fb2871f77660208b778661db9652 (steeling)
Customize affinity, nodeSelectors and tolerations in values.yaml (#4842) 45b19ead429a3863d9921f72628d96ea9b5bec14 (Shalier Xia)
fix: update configClient call and logging (#4854) d970b249aa4a5ba4624a4bd9f4e2374a4ed0bab2 (Jackie Elliott)
feat(certs): get Vault token from Secret (#4753) baff85f1ff1bde9212a1a9addede3a25b90fe72c (Jackie Elliott)
Fix flaky e2e tests (#4844) 4a3d57da27b75dba7124c8e7af769f21dbf59641 (Keith Mattix II)
rate-limiting: add HTTP local rate limiting capability (#4846) f3966a3cfd1886056ad873110de3f9bbbe265f4b (Shashank Ram)
install: use friendlier defaults for egress and permissive mode (#4837) 8fd236e8e104279b4d951a32720e06f4257fd80a (steeling)
Update Kubernetes version testing (#4836) 831f0234acba4f16dc650546c22072794ab55712 (Thomas Stringer)
envoy: update to latest version and fix typed proto usage (#4834) 08c646bec77a56c466ca6a942bcad7aff717769e (Shashank Ram)
fix(certs): update checkAndRotate to use current durations (#4800) 28b32389bb8d792d2ac2f8ab8433b647a4a0926d (Jackie Elliott)
cli: Shows message for no meshes (#4738) 905005f779f0c372a3b018a3f693b6d124e81432 (mudit singh)
Fix failing e2es with GinkgoRecover and resolve CVE-2022-28948 (#4832) 8da8732bced2812f5c3ac72cfd672b64ddb1ce05 (Jackie Elliott)
cert: Use MRCs on startup (#4816) 30885c986a29bfcedb21c18425a1bf37357aa502 (Keith Mattix II)
start with a clean slate for future multicluster work (#4805) e3700d67751a98d09f3a40f45e5dfedc8e2a933f (steeling)
feat(certs): use State for MeshRootCertificate status (#4812) 46b71656841e52ba0a5a8763244f5bd8c916f55b (schristoff)
Leverage trust domain in issuing certs; remove TD from identity (#4782) 5ab34a3b7e9577265f86dadf12fc790775891ad8 (steeling)
doc: use lower case for "cloud native" (#4792) 8b1c3cceabf6134e0e13f410e92da7faaf46574f (mudit singh)
rate-limit: implement connection level local rate limiting (#4823) ac2786869c7fac7f21cdf82166be9f02de86ab38 (Shashank Ram)
cli: Improved error handling (#4808) 327b5b088a99ba6a096cc15089c2b4fe9bab59de (mudit singh)
envoy/cds: add nil check for ConnectionSettings (#4821) a5b37165c9d70dc9edfdd5eaa74f850beff3aaa6 (Shashank Ram)
ref(contributors): update contributor roles and requirements (#4776) 5ee33f31e01148f4b4c418d9f5fee75c46be578d (Shalier Xia)
envoy|catalog: use TrafficMatch to build inbound filter config (#4814) 3f7296990c2665098958c38afc87be952efe8db2 (Shashank Ram)
Resolve CVE-2022-31030 by upgrading containerd to v1.5.13 (#4813) c90f07ae5a192ac0b86f86a3d35aa14c347c1625 (Thomas Stringer)
(k8s/informers): use InformerCollection for other clients (#4804) 241e8ae27e8269bd2e51c98a135d748b30921ddb (Keith Mattix II)
rate-limiting: plumb config into inbound policies (#4807) 7046cf28d0b1e94214f07b9cd9350ecc6c0a05de (Shashank Ram)
Set (empty) trust domain on listener builder (#4802) 3061b05634c365d9cbc936f835549d7b7b615886 (steeling)
rate-limiting: add spec to UpstreamTrafficSetting CRD (#4803) 76ff532c76278aea9e8bec71801585e01bf3db04 (Shashank Ram)
k8s/informers: centralize informers to simplify code (#4801) 47c06ab0dad371ba51f1319b2127b552158cf456 (Keith Mattix II)
docs(README): move support to a community support file (#4785) 914e8f3d8cbbe316b3ea1211411c84e3afa33f5b (Zach Rhoads)
Remove unused code paths and switch the policy object to a policy builder (#4791) eb281e55d615eff5ff20f3729010ca965f56398a (steeling)
apis: add local rate limiting to UpstreamTrafficSetting (#4796) 1e73ba341d94b8a8118def5d332118a2a74855af (Shashank Ram)
docs(contrib): add security.md (#4722) 0ba8d42debafebebda9dc22978af53018290f0ca (schristoff)
Increase retry timeout cert-manager (#4795) 412fbcbe4fbae7d7ae6c140441bd5ad16dc69bbe (Niranjan Shankar)
ref(*): remove CN from *envoy.Proxy (#4773) c318b686e13bd63836f2e2abb92a9994b56558fa (steeling)
demo: Add scripts for Kafka demo (#4770) d3596c0c7bee331609ccdac7714c3dcdea4b5a81 (Keith Mattix II)
ref(certs): mrc ca handling (#4781) 6045fb7111f4a5ed614e34152b78ae1ddb4f8788 (Keith Mattix II)
feat(metrics): add osm_reconciliation_total metric (#4788) 7de17d7797b25e5bf5116e64aee017dd8e61c2da (Jon Huhn)
fix(e2e): add openshift SCC zookeeper (#4787) dd5ec72e5662d1c7a0dc54e2e42843b86ce381d6 (Niranjan Shankar)
feat(certs): add trust domain to mesh root certificate (#4767) c24012f334a5c506d9b9a737eb383d981a253abc (steeling)
Decouple certificate common name from proxy registry (#4763) 436e24f52e7e32e81feb34b408e614036f636e48 (steeling)
test(*): add retry policy e2e (#4600) 28ed5319897c3c5fefc34ab876517bebc11f8372 (Shalier Xia)
ref(ci): update actions/setup-go to v3 db7148222b62b837162370cde9839c185f46b594 (Jon Huhn)
ref(ci): run tests/scenarios as unit tests 6c38317181deec375be0d852cb64d4b5ee489b1e (Jon Huhn)
Decouple certificate common name from various components (#4759) ae53c47217409e8f9e75cd45e851a809b1e71bad (steeling)
Fix CVE-2022-28948 by patching gopkg.in/yaml.v3 (#4771) 324a1a72a222f3db8e3889d7eda7b1c9829bb4f8 (Thomas Stringer)
ref(e2e): move k8s version test config to CI 5ec3e75a13d43f6ac34c32f7bfd8036326707540 (Jon Huhn)
ref(ci): remove PR/push distinction in e2e tests f73b9af0698d0e71a99bffce1240384e9465a455 (Jon Huhn)
feat(certs): create MRC on install (#4747) 7ddd4d185e3715973860bed60eaf66b38ed68b29 (Jackie Elliott)
remove unused code paths (#4758) 27ab5a7266dd3ef24b60b104b6a576a57aff2f30 (steeling)
Add root path ingress e2e test (#4756) 15f0a18f5646b9ebedd61b8b637dc09ef3a61539 (Niranjan Shankar)
fix(vulnerability): patch runc security issue by upgrading to v1.1.2 (#4760) 21d3e60f04c11525d07f83d52e0cb244ec47b3dd (Thomas Stringer)
contrib: add guideline for design docs (#4757) a241cba677f1298c050aec03d30fcac9214830c0 (Shashank Ram)
feat(cert): cert rotation state management (#4743) ecc4e6713cc87a51a28bf2a1ed3d74a34b9c9d54 (steeling)
Feature/statefulsets: fix protocol detection for ports (#4752) 9b11d76e5583a74e56d07c57786cbe56bf9953c2 (Keith Mattix II)
remove head of line blocking from workerpool (#4648) d1ef8b13e09724cb0e501b9560904b29732f3618 (steeling)
cli/verifier: add control plane health probe checks (#4751) dd42d04b2dd1140975370ce1adb97aeb4ed989a4 (Shashank Ram)
(feat/statefulsets): MeshService API changes for Headless Services (#4704) 0af42df42c136e34639eb926c589ae0a5b0065ba (Keith Mattix II)
fix(demo): remove unneeded port-forward for bookstore (#4740) 3395da58f49df2ec50481c791a50345d322f51a3 (Jon Huhn)
ref(certs): use secretKeyRef for Vault token in MRC (#4736) 855776a1cd8aa448c92a9bec6dedac1069be3bc7 (Jackie Elliott)
cli/verifier: use pod status conditions for readiness check (#4749) 9ffa3d38c4c261df57bbbb3233f64f54bf68c9c2 (Shashank Ram)
ref(certs): unexport methods on cert manager (#4742) 21bc67dc31f4f8d235b32981708c6e0d2f7069a6 (steeling)
cli/verifier: add ingress verification (#4715) ec9b9f92379fe972a9e1363bcfbea5dfa6df7d6b (Keith Mattix II)
feat(certificate): create a compat layer for provider generation (#4718) 00bc36338dd1fea4171af5d87dbf6ed5a8a0229f (steeling)
feat(envoy): allow websocket upgrade for all http connections (#4741) 96e0879ee3246a08d9c8c3500a31342a9c6b1751 (Martin Andreas Ullrich)
cli/verifier: add control-plane-health command (#4734) fc638c334b607cc9f3987e75812c964df208e2f7 (Shashank Ram)
feat(api/MeshRootCertificate): add informer client (#4721) 5a885ef60653fb4c987c847b33ece14bad56dfba (Jackie Elliott)
chore(release): update chart version (#4730) 102baf57c514003f1a45d31d4b3dc78bdcbed602 (Jon Huhn)
cli/verifier: add cluster check for egress (#4729) 53a22380667a95ccf79fb75aff8a2c46e5f1b2a5 (Shashank Ram)
fix(demo): default USE_PRIVATE_REGISTRY to false (#4727) 6a5e6892480351a1cfa21fb0bca1098e6e2ddc80 (Jon Huhn)
refactor(cmd/cli): update uninstall cmd (#4664) 76d177f5b47ac1838f21c3307fbb838cbd64f564 (Shalier Xia)
egress: add cli verifier and rename traffic match (#4724) a6d71d2e7e6ac5c1703fadf0e29bbf575ad016bb (Shashank Ram)
policy: Updates retry policy API (#4627) 12780558e3e9b412b431143e2ac6e400dc119897 (Shalier Xia)
ref(cert): update Manager to support mult clients (#4705) a8330dca33af3e1c5fac326dbd6409322a613034 (Jackie Elliott)
cli/verifier: add stubs for egress checks (#4719) 87b709d4316cc6f83677653bbaa929f506df5447 (Shashank Ram)
cli/verifier: verify presence of secrets (#4714) 55bdb17d93d9a527db3bc51c3a64cc3da281aba2 (Shashank Ram)
Fix e2e_client_server_connectivity_test noInstall (#4708) 1e7d22a41f291c8b89fddcbcd5934dc416d0f937 (Niranjan Shankar)
refactor k8s root ca secret access (#4657) bd5247bcb4bb297f061f883ac0a8ea8e63632d00 (steeling)
ref(certs): refactor k8s root ca secret access (#4657) 896fb7af871e7dbf74d4bd27863ef0336105913a (steeling)
crds: add MeshRootCertificate CRD (#4687) 19eb1618a0904275d0d2052d96b296e78d39357a (Jackie Elliott)
docs(contrib): recommend not rewriting git history (#4709) 876579b9a779f83259fd042ba8cc89f919297330 (Jon Huhn)
bugreport: collect more ingress & control plane info (#4703) 13802e81d5af6c217ec95fb834370895dfcd9aff (Shashank Ram)
pkg/injector: Enable podIP proxying via meshconfig setting (#4701) 0ad92c9ae9a617617e99312f87bd2779715bfcf2 (Keith Mattix II)
add the last applied annotation to allow using kubectl apply on the mesh config (#4673) 63715c04ea86c7d03805cf5fdae961e7b7ce4e82 (steeling)
feat(injector): add list of ignored network interfaces (#4700) f922b5c21d2e657b85b5130fcc9fd14b22b8af0b (Jon Huhn)
cli/verifier: check presence of service cluster (#4695) ddd10e2c819d55133b9f2153d3032fa19e65dbb1 (Shashank Ram)
config/meshConfig: New localProxyMode field (#4686) 86690a3cece5a3e41c488980970cc622f77fa50c (Keith Mattix II)
feat(certificates) rework cert manager, integrate rotor (#4645) d4853664a5ee34dfaf7367b54822b307bd19d99e (schristoff)
fix(certificates): fail politely in tresor's cert issuer (#4696) ce2a0e5fccd294baae78cdf77640a3fe38d9b5a3 (schristoff)
cli/verifier: derive appProtocol from service (#4691) 77b4dd80462176224fb540330f9d77d164801d06 (Shashank Ram)
Support pod recreation for the kubectl debug command. (#4688) 0a1653e13222749591f93a5742d0cea6e3309ea5 (steeling)
cli/verifier: verify basic HTTP route configs (#4682) 24a494b2b5921ef63bb3dbe593ced37ffe36dfd2 (Shashank Ram)
Revert "config/meshConfig: New localProxyMode field (#4671)" (#4684) bc3ff995b616c77e7d21099d5339185665d92585 (Keith Mattix II)
config/meshConfig: New localProxyMode field (#4671) (#4680) a8a3dbbe45d80760103b9cb56420adfea753fb6b (steeling)
apis: add MeshRootCertificate API types (#4677) 455887d015e861f7ffaff6b82db2d621bcce1cb9 (Jackie Elliott)
ref(injector): load bootstrap SDS configuration from filesystem (#4635) 0163584e3d3d7bb730f3429e8967e03fbf7e5f50 (Jackie Elliott)
fix(doc): update release guide (#4661) 4f204ddb5ba2c074c9879a93457d6a66aed40a6c (Jon Huhn)
feat(metrics): add osm_events_queued metric (#4670) 4cd4f6af382548538fa451974e2a12c5d817cb4d (Jon Huhn)
config/meshConfig: New localProxyMode field (#4671) 966405b29161ee650d01a8c0ebaa5fe4ed324b79 (Keith Mattix II)
IngressBackend UpstreamTrafficSetting validations (#4640) a54b4048ca2778cbcf6700ed241086ceacb69fd6 (Keith Mattix II)
expose the version information via prometheus (#4679) 1faa13a769825b71cdd41632b36876b32b4688b8 (steeling)
fix: upgrade vulnerable library crypto (#4676) 1550133d9b5c2e7dcea61750f09a96796449ecd0 (allenlsy)
ref(test): migrate e2e app to Fortio (#4631) cf1395e3cf5a6f89a87c4b8eb3e4e8149b83fc5b (allenlsy)
cli/verifier: verify destination for connectivity config (#4672) f04a61397a005fb85f74179166fdb41d6d522e7c (Shashank Ram)
chore(release): Update Chart.yaml to use release v1.1 (#4662) 2f36980f85279ea8ddec80a261fe7bf76743648a (schristoff)
envoy/verifier: add source config checker (#4658) 82492c0b50cb701df50a401018c1cae363208765 (Shashank Ram)
update prometheus v2.34.0 (#4666) f021edde5d81b293f5318bb50bfc841f73381120 (Niranjan Shankar)
tests: move fakes to own sub-package (#4667) 5c966acb814130ca9334714ec4fa75351c4c41e1 (Shashank Ram)
Reword the README note about OSM's production readiness. (#4660) 46781f2bec6db4a6864ecc9ab9c2f0a532f96b40 (Thomas Stringer)
cli/verifier: add Envoy config dump parser (#4646) a918abff99a2106f913302db2fc8705651d2a72d (Shashank Ram)
ref(smi): remove unused kubeClient from smi client (#4643) 95a898f14608224361f4d6eefbeaa463e3f852c5 (Deepesh Pathak)
cli: add verify command (#4639) 9be0fa424290be851f70abe78a633925ae49fb00 (Shashank Ram)
Add --overwrite to kubectl label cmd in osm bootstrap (#4641) af50d175a650e2047b2f59f4604fc88923e1cb60 (Niranjan Shankar)
fix(ci): fix lint (#4629) 9ca8e413895937b8543547b777153a5474f1a2dd (Jon Huhn)

v1.1.1

2 years ago

Notable changes

A new spec.sidecar.localProxyMode field in the MeshConfig API allows users to specify whether traffic from Envoy sidecars to application containers is redirected via 127.0.0.1 (the previous behavior and current default) or the Pod's IP address
A new spec.traffic.networkInterfaceExclusionList field in the MeshConfig API allows users to specify names of network interfaces on Pods that should not have traffic proxied through Envoy sidecars
The installed MeshConfig resource can now be updated with kubectl apply

Breaking changes

None

Deprecation notes

None

CRD Updates

No CRD changes between tags v1.1.0 and v1.1.1

Changelog

chore(release): cut v1.1.1 (#4728) 407bbedd5edb6ff9f1f51a4cabb95bedeb567312 (Jon Huhn)
Release v1.1.1-rc.1 (#4720) 0171d845868db052094b986a408bdab5f9a617c4 (Keith Mattix II)
Fix e2e_client_server_connectivity_test noInstall (#4708) 2cb3ee95deeb2c5922e8eea4f7840b18c7a6b18b (Niranjan Shankar)
pkg/injector: Enable podIP proxying via meshconfig setting (#4701) cbdcfe10e3b29b54e20ddd504eb7b0771f7105c0 (Keith Mattix II)
add the last applied annotation to allow using kubectl apply on the mesh config (#4673) 868c13203e6f377af4ebe5b697a853b054142615 (steeling)
feat(injector): add list of ignored network interfaces (#4700) 79eef29c8876ca15f050dd4f0593faf8d22310f0 (Jon Huhn)
config/meshConfig: New localProxyMode field (#4686) 5a2902246031456ce672d0638fafe6ef7edab7b8 (Keith Mattix II)
Revert "config/meshConfig: New localProxyMode field (#4671)" (#4684) e9ae62109db09fcefd4f6674dcdee28a825bb4a1 (Keith Mattix II)
config/meshConfig: New localProxyMode field (#4671) (#4680) 134d5e2dfd937ffa407d0eae36428fe3b1539dbe (steeling)
apis: add MeshRootCertificate API types (#4677) 1ca81b3a372c75156300ee49e1c7ed990a4d1232 (Jackie Elliott)
fix(doc): update release guide (#4661) e26305c6c34256f3cd2c4acf6be8bb34c55c7742 (Jon Huhn)
config/meshConfig: New localProxyMode field (#4671) 63786fd0fe88dce1084332cfe02bc8212f185627 (Keith Mattix II)
fix: upgrade vulnerable library crypto (#4676) 6089ff7ec7f059d1f213f5f883b504faf8f0c4bc (allenlsy)