kumahq/kuma 2.12.0

on GitHub

We are excited to announce the latest release !
This version features new Inspect API, unified resource naming and new experimental Spire identity provider!

Notable Changes

Unified resource naming

This experimental features update all stats end Envoy resource names to follow format of KRI (Kuma Resource Identifier). Which makes it easier to correlate Kuma resources with stats with Envoy resources created from it.

MeshIdentity with Spire support

New way of issuing Identity in mesh. MeshIdentity creates Spiffe compliant identities, opens up possibility to use Spire with Kuma.

New MeshTrafficPermission rules API

MeshTrafficPermission now supports rules API for inbound policies. It features SpiffeID matchers to allow/deny traffic based on it.

New Inspect API

Added multiple new endpoints for extracting policies applied to specific dataplane/inbound/outbound/route. These new endpoints provide a simplified view of applied policies. Moreover, we have added new _layout and _routes endpoints. _layout endpoint returns networking layout of data plane, which contains information about inbounds and reachable outbounds. And _routes endpoint returns a list of routes for a given outbound.

Changelog

• chore(deps): automatically bump openapi-tool when a new release is out #14227 @slonka
• chore(deps): bump actions/create-github-app-token from v2.0.6 to v2.1.0" #14198 @bartsmykla
• chore(deps): bump cirello.io/pglock from v1.16.0 to v1.16.1 #13686 @renovate
• chore(deps): bump coredns from 1.12.1 to 1.12.2 #13706 @Automaat
• chore(deps): bump debian from 12.11 to 13.0 #14274 @renovate
• chore(deps): bump docker.io/bitnami/kubectl from 1.33.1 to 1.33.3 #13929 #13994 @renovate
• chore(deps): bump envoy from v1.34.1 to v1.35.1 #13947 #14014 #14075 #14367 @lukidzi,@renovate
• chore(deps): bump gcr.io/distroless/base-nossl-debian12:debug from 84c4a85 to 7557eb8 #13734 #14135 #14364 @renovate
• chore(deps): bump gcr.io/distroless/base-nossl-debian12:debug-nonroot from 081a62d to ccb2092 #13735 #14136 #14365 @renovate
• chore(deps): bump gcr.io/distroless/static-debian12:debug-nonroot from 633d5fa to a855ba8 #13736 #14137 #14366 @renovate
• chore(deps): bump gcr.io/k8s-staging-build-image/distroless-iptables from v0.7.5 to v0.8.1 #13739 #13823 #13995 @renovate
• chore(deps): bump ghcr.io/kumahq/ubuntu-netools:main from 72dbf6d to 3b55046 #14264 @renovate
• chore(deps): bump github.com/cilium/ebpf from v0.18.0 to v0.19.0 #13824 @renovate
• chore(deps): bump github.com/docker/docker from 28.2.2+incompatible to 28.3.3+incompatible #14087 @dependabot
• chore(deps): bump github.com/emicklei/go-restful/v3 from v3.12.2 to v3.13.0 #14270 @renovate
• chore(deps): bump github.com/go-logr/logr from v1.4.2 to v1.4.3 #13687 @renovate
• chore(deps): bump github.com/golang-jwt/jwt/v5 from v5.2.2 to v5.3.0 #13996 #14118 @renovate
• chore(deps): bump github.com/golang-migrate/migrate/v4 from v4.18.3 to v4.19.0 #14373 @renovate
• chore(deps): bump github.com/gruntwork-io/terratest from v0.48.2 to v0.50.0 #13528 @renovate
• chore(deps): bump github.com/josephburnett/jd/v2 from v2.2.3 to v2.3.0 #14183 #14271 @renovate
• chore(deps): bump github.com/masterminds/semver/v3 from v3.3.1 to v3.4.0 #13825 @renovate
• chore(deps): bump github.com/miekg/dns from v1.1.66 to v1.1.68 #13930 #14114 @renovate
• chore(deps): bump github.com/onsi/ginkgo/v2 from v2.23.4 to v2.25.2 #14284 #14368 @renovate
• chore(deps): bump github.com/onsi/gomega from v1.37.0 to v1.38.1 #14062 #14325 @renovate
• chore(deps): bump github.com/prometheus/client_golang from v1.22.0 to v1.23.0 #14119 @renovate
• chore(deps): bump github.com/prometheus/common from v0.64.0 to v0.65.0 #13780 @renovate
• chore(deps): bump github.com/spf13/pflag from v1.0.6 to v1.0.7 #13997 @renovate
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from v2.5.0 to v2.6.0 #14330 @renovate
• chore(deps): bump github.com/testcontainers/testcontainers-go from v0.37.0 to v0.38.0 #14003 @renovate
• chore(deps): bump go.opentelemetry.io/otel/exporters/prometheus from v0.59.0 to v0.59.1 #14022 @renovate
• chore(deps): bump go.opentelemetry.io/proto/otlp from v1.6.0 to v1.7.1 #13691 #14116 @renovate
• chore(deps): bump golang from 1.24.4 to 1.25.0 #13896 #14218 @Icarus9913
• chore(deps): bump golang.org/x/net from v0.42.0 to v0.43.0 #14189 @renovate
• chore(deps): bump golang.org/x/tools from v0.33.0 to v0.36.0 #13741 #13936 #14190 @renovate
• chore(deps): bump google.golang.org/grpc from v1.72.2 to v1.75.0 #13742 #14063 #14307 @renovate
• chore(deps): bump google.golang.org/protobuf from v1.36.6 to v1.36.8 #14185 #14327 @renovate
• chore(deps): bump helm.sh/helm/v3 from v3.18.0 to v3.18.6 #13689 #13776 #13895 #14242 #14304 @renovate
• chore(deps): bump kubernetes packages from v0.33.1 to v0.33.2 #13777 @renovate
• chore(deps): bump kubernetes packages from v0.33.2 to v0.33.3 - autoclosed #13998 @renovate
• chore(deps): bump kubernetes packages from v0.33.3 to v0.33.4 #14267 @renovate
• chore(deps): bump kumactl install demo|observability container images #13685 #13778 #13822 #13865 #13937 #13992 #14064 #14191 #14272 @renovate
• chore(deps): bump kumahq/openapi-tool from v1.1.6 to v1.1.7 #14231 @renovate
• chore(deps): bump lifecycle to 2e670e4083642dfa8f047fab84c6436d28ef81a4 #13704 @Automaat
• chore(deps): bump openapi-tool to v1.1.6 #14226 @slonka
• chore(deps): bump opentelemetry-go monorepo #13826 @renovate
• chore(deps): bump opentelemetry-go-contrib monorepo from v0.60.0 to v0.61.0 #13781 @renovate
• chore(deps): bump opentelemetry-go-contrib monorepo from v0.61.0 to v0.62.0 #13827 @renovate
• chore(deps): bump postgres:latest from 6efd0df to 29e0bb0 #13738 #13861 #14019 #14060 #14266 @renovate
• chore(deps): bump protoc-gen-go-grpc from 1.1.0 to 1.5.1 #14099 @Automaat
• chore(deps): bump redis from a1e0a3b to cc2dfb8 #14020 #14282 @renovate
• chore(deps): bump sigs.k8s.io/yaml from v1.4.0 to v1.6.0 #13828 #14065 @renovate
• chore(deps): security update #13726 #14174 @kumahq
• chore(deps): update renovate config for openapi-tool #14230 @bartsmykla
• chore(deps): upgrade golangci-lint from v2.1.6 to v2.2.2 #13956 @lukidzi
• chore(deps): use latest kumahq/kuma-gui #13711 #13716 #13721 #13728 #13729 #13758 #13760 #13766 #13784 #13790 #13800 #13806 #13808 #13818 #13832 #13834 #13836 #13839 #13850 #13854 #13858 #13870 #13888 #13890 #13907 #13921 #13927 #13955 #13957 #13959 #13963 #13964 #13980 #14004 #14080 #14091 #14093 #14101 #14215 #14232 #14253 #14258 #14263 #14295 #14302 #14310 #14312 #14313 #14314 #14319 #14353 #14357 #14358 #14379 #14391 #14393 @kumahq
• ci(gha): move clang-format from make check to action #14012 @Automaat
• feat(KDS): log unique streamID #13684 @lobkovilya
• feat(MeshIdentity): add spire provider #14181 @lukidzi
• feat(MeshIdentity): bundled provider implementation #14171 @lukidzi
• feat(MeshIdentity): create a component updating meshidentity status #14176 @lukidzi
• feat(MeshIdentity): create mesh trust based on identity #14217 @lukidzi
• feat(MeshIdentity): enable usage of identity and provide e2e tests #14240 @lukidzi
• feat(MeshIdentity): implement policy API #13986 @lukidzi
• feat(MeshIdentity): set MeshService TLSReadiness and Identity #14216 @lukidzi
• feat(MeshLoadBalancingStrategy): add MeshHTTPRoute support #13794 @lobkovilya
• feat(MeshLoadBalancingStrategy): move HashPolicies field to root level #13770 @lobkovilya
• feat(MeshTrafficPermission): implement new inspect api support #14168 @Automaat
• feat(MeshTrafficPermission): implement new rules api #14127 @Automaat
• feat(MeshTrafficPermission): spiffeId matcher support #14147 @Automaat
• feat(MeshTrust): create trust secrets #14179 @lukidzi
• feat(MeshTrust): implement policy API #13991 @lukidzi
• feat(api): add _policies endpoint to get routes policies config #14082 @Automaat
• feat(api): add method to read DataSource on control-plane #14152 @lukidzi
• feat(api): add universal outbounds to _layout endpoint #14081 @Automaat
• feat(api): add zone proto to oas #13757 @slonka
• feat(api): create common datasource #14028 @lukidzi
• feat(api): implement dataplane layout endpoint #13855 @Automaat
• feat(api): implement endpoint to get routes for dataplane outbound #13892 @Automaat
• feat(api): implement new _policies endpoints for dataplane #13871 @Automaat
• feat(api): new api schema for rules inspect #13488 @Automaat
• feat(charts): add unifiedResourceNaming setting to automate feature flag #13925 @bartsmykla
• feat(helm): define loadBalancerSourceRanges for ZoneIngress k8s service #13965 @Icarus9913
• feat(helm): switch kubectl image to registry.k8s.io #14297 @bartsmykla
• feat(inbound-rules): stop merging inbound rules for internal representation #14104 @Automaat
• feat(inspect-api): better handling of invalid kri error in new inspect api #14309 @Automaat
• feat(k8s): propagate service account in the annotation #14151 @lukidzi
• feat(kuma-cp): add proxyResourceName field to dataplane inbound and outbound #14102 @slonka
• feat(kuma-cp): add validation on resourceType #14355 @slonka
• feat(kuma-cp): allow section names in reachable backends #14316 @bartsmykla
• feat(kuma-cp): contextual (unified) inbound names and route config #14180 @bartsmykla
• feat(kuma-cp): fix missing unified naming for secret resources #14199 @bartsmykla
• feat(kuma-cp): make unified naming depend on exclusive mode #14320 #14343 @slonka
• feat(kuma-cp): rename access log sink system resource to follow unified naming format #14363 @slonka
• feat(kuma-cp): rename dns resources #14162 @slonka
• feat(kuma-cp): rename dynamic config system resource to follow unified naming format #14011 @slonka
• feat(kuma-cp): rename envoy admin system resource to follow unified naming format #13942 @slonka
• feat(kuma-cp): rename kube server bypass system resource to follow unified naming format #14169 @slonka
• feat(kuma-cp): rename mesh access log system resource to follow unified naming format #14159 @slonka
• feat(kuma-cp): rename mesh metric and mesh trace from kri system to system #14296 @slonka
• feat(kuma-cp): rename mesh metric system resource to follow unified naming format #14125 @slonka
• feat(kuma-cp): rename mesh trace system resource to follow unified naming format #14148 #14346 @slonka
• feat(kuma-cp): rename readiness resources #14161 @slonka
• feat(kuma-cp): rename secret system resource to follow unified naming format #14166 @slonka
• feat(kuma-cp): rename transparent proxy resources to follow unified naming format #14286 @slonka
• feat(kuma-cp): setup skaffold #13698 @Automaat
• feat(kuma-cp): support unified naming in zone proxies #14280 @bartsmykla
• feat(kuma-cp/xds): enable unified resource naming for MeshHTTPRoute listeners #14038 @bartsmykla
• feat(kuma-cp/xds): support unified naming in MeshTLS #14303 @bartsmykla
• feat(kuma-dp): introduced workDir in dataplaneRuntime #13893 @m4l1c1ou5
• feat(kuma-dp): use unix socket for readiness reporter #13924 @Icarus9913
• feat(kumactl): add --context flag to select active control plane #13860 @m4l1c1ou5
• feat(kumactl): better kumactl apply output #13771 @lahabana
• feat(meshcontext): move MeshServices, MeshExternalService and MeshMultizoneServices to new DestinationIndex inside BaseMeshContext #13786 @Automaat
• feat(plugins): add ability to register core resources plugins #14149 @lukidzi
• feat(tools): move to Mise from our custom scripts #13835 #14027 @Automaat
• feat(xds): add feature flag for unified resource naming #13908 @bartsmykla
• feat(xds): add metadata to ZoneIngressInsight and ZoneEgressInsight #13923 @bartsmykla
• feat(xds): added builders for tls context #14150 @lukidzi
• feat(xds): calculate mTLS insights for MeshIdentity based on events #14233 @lukidzi
• feat(xds): support unified naming in for MeshHTTPRoute and MeshTCPRoute #14160 @bartsmykla
• fix(MeshMetric): properly map prometheus histogram to native histogram in otel #14234 @Automaat
• fix(MeshMetrics): properly parse scopes from scraped metrics #14182 @Automaat
• fix(MeshTLS): skip xDS configurer when no MeshTLS policy applies to the data plane #13940 @bartsmykla
• fix(MeshTrafficPermission): rename spiffeId to spiffeID #14390 @lobkovilya
• fix(api): align port types in resources with Kubernetes guidelines #13813 @Automaat
• fix(api): fix generating code from oapi schema #13732 @Automaat
• fix(api): fix generation of oapi schema by skipping not yaml files #13748 @Automaat
• fix(api): fix new inspect api endpoints paths to match oapi schema #14294 @Automaat
• fix(dynconfig): change the direct response body size dynamically #13853 @Icarus9913
• fix(helm): properly set addresses when a list is provided #14112 @lukidzi
• fix(helm): remove sh usage in CRD install helm hook job #14287 @bartsmykla
• fix(kuma-cp): cert regeneration counter constantly increasing #14351 @lobkovilya
• fix(kuma-cp): fix match MeshHTTPRoute in policy targets with unified naming #14352 @bartsmykla
• fix(kuma-cp): initialiaze map if it's nil #14205 @lukidzi
• fix(kuma-cp): reconcile pods if MeshService mode changed to remove duplicated inbounds #14356 @Automaat
• fix(kuma-cp): require MeshServices to initialize MeshIdenitity #14360 @lobkovilya
• fix(mads): adding nil check in FallBackNodeHash on mads call #13775 @m4l1c1ou5
• fix(meshratelimit): add warning log about status code #13958 @lukidzi
• fix(xds): check resource type when resolving identifier #13928 @lukidzi