kumahq/kuma 2.10.0

on GitHub

We are excited to announce the latest release!

Notable Changes

Improvement of OpenAPI

Improved OpenAPI specs with additional definitions, fixed mappings and defaults, documented 404 responses, and properly marked read-only fields.

New rules in targetRef

A new "rules" API has been introduced for inbound policy application, overcoming limitations of the previous "from" syntax, enabling finer control over ports, proxies, services, and HTTP routes.

Introducing new kind Dataplane in targetRef

This unblocks us to use Dataplane labels instead of inbound tags when selecting the proxy that policies should be configured on. Also, it provides a way to select a single port on the DPP when configuring inbounds (by using sectionName).

MeshService improvements

A few improvements are introduced to the MeshService feature.

Changelog

• chore(deps): align forked go-control-plane version with upstream #12000 @lukidzi
• chore(deps): bump bitnami/kubectl from 1.27.5 to 1.32.2 #12305 #12399 #12868 @dependabot
• chore(deps): bump cirello.io/pglock from 1.14.2 to 1.16.0 #11892 @dependabot
• chore(deps): bump coredns from v1.11.3 to v1.12.0 #12034 #12472 @bartsmykla,@michaelbeaumont
• chore(deps): bump debian from 27586f4 to 3528682 #11810 #12071 #12168 #12412 #12621 #12802 #13000 @dependabot
• chore(deps): bump github.com/Masterminds/semver/v3 from 3.3.0 to 3.3.1 #12101 @dependabot
• chore(deps): bump github.com/bakito/go-log-logr-adapter from bfa42fa to de85860 #12538 @renovate
• chore(deps): bump github.com/cilium/ebpf from 0.16.0 to 0.17.3 #12396 #12699 #12875 @dependabot,@renovate
• chore(deps): bump github.com/containernetworking/plugins from 1.5.1 to 1.6.2 #11811 #12171 #12524 @dependabot
• chore(deps): bump github.com/emicklei/go-restful/v3 from 3.12.1 to 3.12.2 #12991 @dependabot
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.1.0 to 1.2.1 #12674 @dependabot
• chore(deps): bump github.com/exaring/otelpgx from 0.6.2 to 0.9.0 #12074 #12678 #12701 @dependabot,@renovate
• chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 #11970 @dependabot
• chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.18.1 to 4.18.2 #12675 @dependabot
• chore(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 #12924 @dependabot
• chore(deps): bump github.com/gruntwork-io/terratest from 0.47.2 to 0.48.2 #12240 #12397 #12797 @dependabot
• chore(deps): bump github.com/invopop/jsonschema from 0.12.0 to 0.13.0 #12427 @dependabot
• chore(deps): bump github.com/jackc/pgx/v5 from 5.7.1 to 5.7.2 #12392 @dependabot
• chore(deps): bump github.com/miekg/dns from 1.1.62 to 1.1.63 #12679 @dependabot
• chore(deps): bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.22.2 #11969 #12102 #12395 #12426 @dependabot
• chore(deps): bump github.com/onsi/gomega from 1.34.2 to 1.36.2 #11971 #12103 #12239 #12410 @dependabot
• chore(deps): bump github.com/prometheus/client_golang from 1.20.4 to 1.21.1 #11813 #12923 #13016 @dependabot,@renovate
• chore(deps): bump github.com/prometheus/common from 0.60.0 to 0.62.0 #11891 #12202 #12606 @dependabot,@renovate
• chore(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 #12873 @dependabot
• chore(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6 #12737 @dependabot
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.4.0 to 2.5.0 #12736 @dependabot
• chore(deps): bump github.com/testcontainers/testcontainers-go from 0.33.0 to 0.35.0 #11812 #12525 @dependabot
• chore(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 #12012 @dependabot
• chore(deps): bump go-control-plane from 0.13.1 to 0.13.4 #12654 @lukidzi
• chore(deps): bump go.opentelemetry.io/proto/otlp from 1.3.1 to 1.5.0 #12170 #12522 @dependabot
• chore(deps): bump golang.org/x/net from 0.30.0 to 0.36.0 #12011 #12203 #12527 #12874 #13017 @dependabot,@renovate
• chore(deps): bump golang.org/x/sync from 0.8.0 to 0.11.0 #12013 #12201 #12800 @dependabot
• chore(deps): bump golang.org/x/sys from 0.26.0 to 0.30.0 #12015 #12200 #12428 #12796 @dependabot
• chore(deps): bump golang.org/x/text from 0.19.0 to 0.22.0 #12014 #12205 #12798 @dependabot
• chore(deps): bump golang.org/x/tools from 0.29.0 to 0.30.0 #12871 @dependabot
• chore(deps): bump google.golang.org/genproto/googleapis/* from 1a7da9e to 29210b9 #12684 @renovate
• chore(deps): bump google.golang.org/grpc from 1.67.1 to 1.71.0 #12010 #12204 #12281 #12393 #12526 #12677 #13018 @dependabot,@renovate
• chore(deps): bump google.golang.org/protobuf from 1.35.1 to 1.36.5 #12072 #12304 #12394 #12523 #12676 #12799 @dependabot
• chore(deps): bump helm.sh/helm/v3 from 3.16.2 to 3.17.1 #12073 #12303 #12607 #12872 @dependabot,@renovate
• chore(deps): bump k8s-staging-build-image/distroless-iptables from v0.6.4 to v0.7.3 #12070 #12401 #12620 #12803 #12869 #12934 @dependabot
• chore(deps): bump kumahq/ubuntu-netools from 4243009 to 5417a86 #12016 #12196 #12400 #12533 #12556 @dependabot,@renovate
• chore(deps): bump module github.com/josephburnett/jd/v2 from 7b2e87c to 6125a15 #12690 @renovate
• chore(deps): bump postgres from 4ec37d2 to 81f32a8 #11817 #12068 #12105 #12197 #12411 #12619 #12801 #12867 #12933 #12999 @dependabot
• chore(deps): bump the go-opentelemetry-io group with 9 updates #12009 #12280 @dependabot
• chore(deps): bump the k8s-libs group #11890 #12100 #12169 #12238 #12279 #12425 #12521 #12605 #12628 #12629 #12673 #12795 #12870 @dependabot,@renovate
• chore(deps): pin distroless-iptables image #12459 @lahabana
• chore(deps): remove deprecated protobuf dependency #12038 @Icarus9913
• chore(deps): security update #12250 #12328 #12969 @kumahq
• chore(deps): update golang.org/x/exp digest from e7e105d to e0ece0d #12539 #12698 @renovate
• chore(deps): update module github.com/evanphx/json-patch/v5 from v5.9.0 to v5.9.11 #12689 #12700 @renovate
• chore(deps): update opentelemetry-go monorepo #12600 @renovate
• chore(deps): update opentelemetry-go-contrib monorepo to v0.59.0 #12614 @renovate
• chore(deps): upgrade envoy from 1.30.6 to 1.32.3 #11615 #11831 #11962 #12215 #12458 @lukidzi
• chore(deps): upgrade go from 1.23.2 to 1.23.6 #12083 #12220 #12582 #12781 @Icarus9913,@kumahq,@lukidzi
• chore(deps): use latest kumahq/kuma-gui #11803 #11814 #11818 #11829 #11830 #11863 #11864 #11867 #11912 #11913 #11914 #11916 #11919 #11929 #11935 #11964 #11965 #11977 #11989 #11990 #11992 #11999 #12004 #12019 #12020 #12031 #12035 #12036 #12039 #12046 #12053 #12058 #12060 #12063 #12065 #12066 #12069 #12075 #12076 #12077 #12078 #12079 #12081 #12082 #12088 #12089 #12090 #12092 #12094 #12106 #12138 #12139 #12150 #12151 #12153 #12172 #12178 #12179 #12184 #12186 #12187 #12192 #12193 #12194 #12211 #12213 #12214 #12225 #12227 #12228 #12237 #12242 #12271 #12296 #12302 #12306 #12316 #12317 #12318 #12323 #12417 #12418 #12422 #12462 #12469 #12490 #12499 #12520 #12537 #12604 #12608 #12622 #12632 #12638 #12640 #12643 #12645 #12651 #12656 #12662 #12681 #12687 #12694 #12706 #12720 #12726 #12745 #12750 #12758 #12772 #12807 #12808 #12813 #12823 #12824 #12833 #12835 #12836 #12838 #12850 #12851 #12876 #12884 #12887 #12888 #12896 #12899 #12902 #12905 #12907 #12918 #12942 #12945 #12949 #12959 #12962 #12973 #12974 #12981 #13001 #13006 #13007 #13011 #13013 #13019 #13027 #13055 #13086 @kumahq
• feat(MeshAccessLog): add possibility to configure gateway using rules api #12815 @Automaat
• feat(MeshAccessLog): add possibility to configure inbound using rules api #12708 @Automaat
• feat(MeshCircuitBreaker): add possibility to configure inbound using rules api #12771 @Automaat
• feat(MeshCircuitBreaker): supplement HealthyPanicThreshold property #12860 @Icarus9913
• feat(MeshCircuitBreaker): track remaining connections before opening circuit breaker #12206 @lukidzi
• feat(MeshFaultInjection): support GRPC protocol #12715 @lukidzi
• feat(MeshHealthCheck): deprecate healthyPanicThreshold property #12878 @Icarus9913
• feat(MeshMetrics): add dns statistics to the basic profile #12226 @lukidzi
• feat(MeshPassthrough): add support for MySQL protocol #12839 @lukidzi
• feat(MeshRateLimit): add possibility to configure inbound using rules api #12722 @Automaat
• feat(MeshService): add option to selectively ignore conversion to MeshService #11833 @jakubdyszkiewicz
• feat(MeshTLS): add possibility to configure gateway using rules api #12818 @Automaat
• feat(MeshTLS): add possibility to configure inbound using rules api #12752 @Automaat
• feat(MeshTimeout): add possibility to configure inbound using rules api #12500 #12696 #12757 #12769 @lobkovilya
• feat(api): add kuma resources and policies short name support #12109 @lahabana
• feat(api): apply default configurations for k8s & universal by using k8s defaulter #12829 @slonka
• feat(api-server): add inspect-api for retrieving service hostnames #11865 @jakubdyszkiewicz
• feat(api-server): add support for inbound rules in inspect-api #12713 @lobkovilya
• feat(api-server): add support for inspect api for new kind Dataplane and section name for selecting single inbound #12644 @Automaat
• feat(api-server): add support for label filters #12840 @lahabana
• feat(api-server): allow listing Dataplanes matching given MeshService #11850 @jakubdyszkiewicz
• feat(api-server): respond with 200/201 with empty json for successful PUT #12642 @slonka
• feat(api-server): return empty json on successful delete response #12669 @slonka
• feat(helm): add ServiceMonitor for controlplane metrics scraping #12843 @synthe102
• feat(helm): add priorityClassName to Helm Chart #12652 @jmromanos
• feat(helm): expose CNI affinity setting #13080 @lukidzi
• feat(kds): add option to disable KDS traces #11847 @michaelbeaumont
• feat(kds): add support for Secrets creation on the zone #12768 @lukidzi
• feat(kds): add support for kuma.io/kds-sync label #13008 @lahabana
• feat(kds): use compressor to make requests and responses smaller #12339 @slonka
• feat(kuma-cp): add new targetRef kind Dataplane #12470 @Automaat
• feat(kuma-cp): add pod labels on dataplane and use proxy type labels #12453 @Automaat
• feat(kuma-cp): allow missing transparent proxy ConfigMap or empty in k8s #11988 @bartsmykla
• feat(kuma-cp): allow skipping certain label propagation on multizone #11918 @michaelbeaumont
• feat(kuma-cp): cleanup ZoneIngress/ZoneEgress resources #12787 @lukidzi
• feat(kuma-cp): clock skew for generated certs #11807 @jakubdyszkiewicz
• feat(kuma-cp): take inbound name from pod instead of service #12783 @Automaat
• feat(kuma-dp): disable application probe proxy by default on Universal #12002 @jijiechen
• feat(kumactl): update install observability components #12862 @bartsmykla
• feat(openapi): generate a spec with all resources #12006 #12272 #12329 #12330 #12336 #12497 #12665 #12666 #12680 #12697 #12903 #12936 @schogges,@slonka
• feat(policy): add InboundRules to GatewayRules #12791 @Automaat
• feat(policy): allow sectionName and labels in targetRef #11819 @Neyaz
• feat(policy): allow using Dataplane kind in top level targetRef in all policies #12659 @Automaat
• feat(policy): deprecate MeshSubset kind in top level targetRef #12660 @Automaat
• feat(policy): deprecate from section for policies supported by section rules #12789 @Automaat
• feat(policy): implement algorithm for inbound rules #12560 @lobkovilya
• feat(policy): implement possibility to select proxies in policies by new kind Dataplane #12573 @Automaat
• feat(policy): support Labels with SectionName in ResolveTargetRef function #12743 @lobkovilya
• feat(resource): add deprecation for resources whose name breaks RFC-1035 #13003 #13028 @Icarus9913,@lukidzi
• feat(resource): add isProxy flag to resource descriptor #12414 @Automaat
• feat(transparentproxy): fail injection if custom ConfigMap missing #13012 @bartsmykla
• feat(xds): add internal address config onto HttpConnectionManager #12986 @jijiechen
• fix(MeshExternalService): set correct TLS context #12162 @lukidzi
• fix(MeshExternalService): skip invalid resources during configuration generation #12919 @lukidzi
• fix(MeshInsights): skip error on mesh insight creation race condition #12549 @Automaat
• fix(MeshLoadBalancingStrategy): deprecate SourceIP and use Connection #12111 @lukidzi
• fix(MeshLoadBalancingStrategy): set all priorities equal if localityAware is disabled #11980 @michaelbeaumont
• fix(MeshPassthrough): refactor implementation to generate correct route #12054 @lukidzi
• fix(MeshService): skip generation for invalid kuma.io/service name #12751 #13014 @Icarus9913,@lukidzi
• fix(MeshService): use Protocol from the resource #12709 @lukidzi
• fix(MeshTLS): fix shadow policy effect #12731 @Automaat
• fix(MeshTimeout): set default inbound timeouts correctly #12692 @lobkovilya
• fix(MeshTrace): add support for real resources #12173 @lukidzi
• fix(MeshTrafficPermission): prevent nil pointer error for AutoReachableService when no top targetRef #12152 @lukidzi
• fix(Secret): return proper typed errors on conflict in secret store #13002 @lahabana
• fix(api): compute labels on resource update #11861 @lukidzi
• fix(api): return 499 when client cancel context #11821 @lukidzi
• fix(api): update the resources properties to be compatible with Terraform and OpenAPI generator #12735 #12742 #12747 #12844 #12895 #13004 @slonka
• fix(api-server): order inbounds when returning resources from inspect api #12909 @Automaat
• fix(api-server): return early when there is error on delete #12749 @lukidzi
• fix(api-server): skip display-name label for service insight #11508 @Icarus9913
• fix(cni): delegated gateway was not correctly injected #11922 @jakubdyszkiewicz
• fix(cni): support bound service account token by reloading periodically #12592 @jijiechen
• fix(gateway): change MeshGateway tags validation to be consistent with MeshRoute tags validation #11808 @Automaat
• fix(k8s): fix scope assignment to the resource #12879 @lukidzi
• fix(k8s): only run necessary controllers on global #11715 @michaelbeaumont
• fix(k8s): prevent reconciling all namespaces on label change #12906 @bartsmykla
• fix(k8s): set annotation kuma.io/display-name for Secrets and Configs #11923 @michaelbeaumont
• fix(kds): do not log error when context canceled #11820 @lukidzi
• fix(kds): fix an issue in KDS causing valid resources not being synced when there is a invalid resource #12776 @lukidzi
• fix(kds): remove context from map on stream close #12243 @lukidzi
• fix(kds): rework cross zone syncing #12893 @lahabana
• fix(kuma-cp): avoid concurrent access on resource meta #11997 @lahabana
• fix(kuma-cp): change usage of deprecated global_downstream_max_connections on envoy #13051 @lukidzi
• fix(kuma-cp): don't override existing dataplane labels by pod labels #12589 @Automaat
• fix(kuma-cp): fix an issue caused by concurrent map operations #12908 @lukidzi
• fix(kuma-cp): handle conn closed issue when creating saving stream connection #12557 @Automaat
• fix(kuma-cp): move global log variable to struct to avoid data race #12980 @lukidzi
• fix(kuma-cp): save and update labels from Dataplane resource on Universal #12975 @Automaat
• fix(kumactl): mark valid-for as required for command kumactl generate dataplane-token #11849 @jijiechen
• fix(kumactl): remove metrics, logging, tracing columns in get meshes #11895 @michaelbeaumont
• fix(policy): a bug in ResolveTargetRef that caused creating excessive entries in ResourceRules #12710 @lobkovilya
• fix(policy): fix merging pointers to slices of struct #12859 @slonka
• fix(policy): improve message when no proxyTypes #12754 @lukidzi
• fix(policy): use new compute for rules and fix rules intersect #12340 @Icarus9913
• fix(postgres-leader): add proper error logging in postgres leader elector #12484 @Automaat
• fix(xds): ignore watchdog error on context cancelled #12664 @jakubdyszkiewicz
• fix(xds): only auth once per xds gRPC stream in kuma-cp. Revoking a dataplane token on Unversal mesh clusters now requires restarting the mesh control plane. #12788 @jijiechen
• fix(xds): prevent watchers from being cleaned up unexpectedly #12886 @jijiechen
• perf(xds): add x-kuma-tags conditionally #11076 @jakubdyszkiewicz