kumahq/kuma 2.3.0

on GitHub

We’re excited to announce the release of Kuma 2.3. This new minor release gets us one step closer to releasing targetRef policies as defaults.

In order to take advantage of the latest and greatest in service mesh, we strongly suggest upgrading to Kuma 2.3. Upgrading is easy through kumactl or Helm. But be sure to carefully read the Upgrade Guide before upgrading Kuma.

Notable Changes

• 🚀 targetRef policies are now working with MeshGateway.
• 🚀 MeshTCPRoute which enables to control traffic routing for TCP services.
• 🚀 Helm improvements with more secure defaults.
• 🚀 Possibility to skip creating default policies when creating a mesh.
• 🚀 Performance improvements on Kubernetes.
• 🚀 Add hosts selection predicates to MeshRetry
• 🚀 Initial GAMMA routes support.
• 🚀 Continuous improvements to the look and feel of the GUI
• 🚀 Upgrade to Envoy 1.26

Changelog

• chore(deps): bump Envoy from v1.25.4 to v1.26.2 #6638 #6938 @lukidzi,@michaelbeaumont
• chore(deps): bump cirello.io/pglock from 1.11.0 to 1.13.0 #6817 #6927 @dependabot
• chore(deps): bump controller-runtime from v0.14.6 to v0.15.0 #6809 #6832 @dependabot,@michaelbeaumont
• chore(deps): bump gateway-api from v0.7.0 to c9540a9cf448 #6614 #6674 #6735 #6771 #6840 #6912 #7020 @dependabot,@michaelbeaumont
• chore(deps): bump github.com/containernetworking/plugins from 1.2.0 to 1.3.0 #6738 @dependabot
• chore(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible #6751 @dependabot
• chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.0 to 0.11.1 #6866 @dependabot
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.1 to 1.0.1 #6617 #6737 @dependabot
• chore(deps): bump github.com/go-logr/zapr from 1.2.3 to 1.2.4 #6742 @dependabot
• chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.15.2 to 4.16.2 #6864 #6928 #7000 @dependabot
• chore(deps): bump github.com/lib/pq from 1.10.7 to 1.10.9 #6554 #6650 @dependabot
• chore(deps): bump github.com/miekg/dns from 1.1.53 to 1.1.54 #6651 @dependabot
• chore(deps): bump github.com/onsi/ginkgo/v2 from 2.9.2 to 2.10.0 #6689 #6768 #6925 #7002 @dependabot
• chore(deps): bump github.com/onsi/gomega from 1.27.6 to 1.27.8 #6818 #7001 @dependabot
• chore(deps): bump github.com/prometheus/client_golang from 1.14.0 to 1.15.1 #6555 #6692 @dependabot
• chore(deps): bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 #6691 @dependabot
• chore(deps): bump github.com/prometheus/common from 0.42.0 to 0.44.0 #6690 #6814 @dependabot
• chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 #6926 @dependabot
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.4 to 2.1.6 #6867 #7003 @dependabot
• chore(deps): bump github.com/testcontainers/testcontainers-go from 0.18.0 to 0.20.1 #6708 #6736 @dependabot
• chore(deps): bump go.opentelemetry.io/proto/otlp from 0.19.0 to 0.20.0 #7004 @dependabot
• chore(deps): bump golang from 1.20.4 to 1.20.5 #6587 #6828 #6959 @lahabana,@lukidzi
• chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 #6712 @dependabot
• chore(deps): bump golang.org/x/sys from 0.7.0 to 0.8.0 #6693 @dependabot
• chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 #6687 @dependabot
• chore(deps): bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 #6652 @dependabot
• chore(deps): bump k8s.io/kubectl from 0.26.3 to 0.27.2 #6813 @dependabot
• chore(deps): bump sigs.k8s.io/controller-tools from 0.11.3 to 0.12.0 #6586 #6688 @dependabot
• chore(deps): use latest kumahq/kuma-gui #6548 #6552 #6562 #6576 #6606 #6616 #6629 #6640 #6655 #6656 #6659 #6661 #6662 #6664 #6675 #6678 #6701 #6702 #6710 #6715 #6753 #6756 #6762 #6774 #6775 #6776 #6777 #6791 #6798 #6801 #6803 #6807 #6811 #6821 #6822 #6823 #6824 #6830 #6833 #6834 #6835 #6837 #6847 #6850 #6851 #6871 #6875 #6877 #6878 #6879 #6882 #6885 #6904 #6914 #6919 #6921 #6932 #6933 #6937 #6939 #6941 #6946 #6949 #6954 #6958 #6975 #6978 #6980 #6982 #6984 #6994 #6998 #7005 #7009 #7011 #7012 #7013 #7015 #7038 #7060 #7074 #7096 @kumahq
• feat(MeshCircuitBreaker): support MeshGateways #6706 @michaelbeaumont
• feat(MeshGateway): add TLS passthrough listeners #6922 @michaelbeaumont
• feat(MeshGateway): support termination on TLS listeners #6952 @michaelbeaumont
• feat(MeshHealthCheck): support MeshGateway #6743 @michaelbeaumont
• feat(MeshLoadBalancingStrategy): add builtin gateway support #6800 @michaelbeaumont
• feat(MeshRetry): add host selection predicates #6346 @johnharris85
• feat(api-server): add ability to get k8s format of a resource #6673 @lahabana
• feat(api-server): make errors compliant with aip 193 #7017 @lahabana
• feat(client): Consolidate HTTP Client #6849 @mmorel-35
• feat(cni): k8s make namespace configurable #6721 @mmorel-35
• feat(config): improve configurability #6583 @slonka
• feat(docker/kumactl): make entrypoint consistent with kuma-cp and kuma-dp images #6596 @bartsmykla
• feat(envoyadmin): support passing kds envoy operations via http proxy #6915 @jakubdyszkiewicz
• feat(helm): Add logOutputPath support to chart #6649 @ashman1984
• feat(helm): add possibility to extend secrets for cp in helm charts when reusing kuma charts #6883 @Automaat
• feat(helm): enable NodePort customization #6770 @mmorel-35
• feat(helm): remove hostNetwork: true from CNI DaemonSet #6599 @michaelbeaumont
• feat(helm): set readOnlyRootFilesystem on CNI, more explicit templates #6604 @michaelbeaumont
• feat(helm): validate zone name on install #6739 @mmorel-35
• feat(insights): include tenant id in insights info key #6804 @jakubdyszkiewicz
• feat(insights): include tenant id in rate limitter key #6808 @jakubdyszkiewicz
• feat(intercp): pass tenant id #6856 @jakubdyszkiewicz
• feat(intercp): use global tenant for catalog request #6863 @jakubdyszkiewicz
• feat(k8s): add read-only root FS to sidecar #6681 @dascole
• feat(k8s): show Dataplane services in kubectl output #6725 @michaelbeaumont
• feat(kds): configurable server stream interceptors #6697 @jakubdyszkiewicz
• feat(kds): multitenancy #6723 @jakubdyszkiewicz
• feat(kds): opt-in insecure skip verify in zone cp client #6991 @jakubdyszkiewicz
• feat(kuma-cp): top-level MeshHTTPRoute targetRef for MeshTimeout #7016 @lobkovilya
• feat(kuma-cp): add possibility to configure concurrent reconciliation… #7010 @Automaat
• feat(kuma-cp): add possibility to configure kubernetes client qps and… #6951 @Automaat
• feat(kuma-cp): allow to override resource store plugin #6887 @jakubdyszkiewicz
• feat(kuma-cp): allow to specify protocol for globalZone sync service #6842 @lukidzi
• feat(kuma-cp): implement MeshTrafficPermisson for ExternalServices with ZoneEgress #7061 @lukidzi
• feat(kuma-cp): improve BuildRules algorithm #6973 @lobkovilya
• feat(kuma-cp): introduce tag first Virtual Outbound model #7076 @Automaat
• feat(kuma-cp): multitenancy adjustments #6705 @jakubdyszkiewicz
• feat(kuma-cp): multitenant counter metrics #6707 @jakubdyszkiewicz
• feat(kuma-cp): remove unnecessary reconciliation of pods on configmap… #7014 @Automaat
• feat(kuma-cp): support MeshHTTPRoute targetRef #6983 @lobkovilya
• feat(mesh): allow disabling default policy creation #6481 #6931 @johnharris85
• feat(meshaccesslog): use "type" to express oneof #6676 @lobkovilya
• feat(meshtrace): use "type" to express oneof #6679 @lobkovilya
• feat(mtls): generate certificates for Address and AdvertisedAddress for Dataplane and Ingress #6584 @mmorel-35
• feat(multitenancy): postgres events #6799 @jakubdyszkiewicz
• feat(policy): add MeshTCPRoute #6806 #6873 #6888 @bartsmykla
• feat(resources): retry upsert on resource already exist #7022 @jakubdyszkiewicz
• feat(tls): remove commonName in certificate generation #6627 @mmorel-35
• feat(ui): add mode in the config in the index.html #6942 @lahabana
• feat(webhook): make init ordering configurable first/last #7070 @johnharris85
• feat(webhook): warn/fail if containers use same UID as sidecar #7042 @johnharris85
• fix(GatewayAPI): convert HTTP header names to lowercase #6704 @michaelbeaumont
• fix(GatewayAPI): don't panic if an HTTPRoute references a Gateway with a nonexistent GatewayClass #6722 @michaelbeaumont
• fix(GatewayAPI): don't share HTTPRoute conditions between parentRefs #6537 @michaelbeaumont
• fix(GatewayAPI): npe errors #6852 @michaelbeaumont
• fix(GatewayAPI): reconcile Gateways on Secret changes #6754 @michaelbeaumont
• fix(MeshGateway): don't strip ports from host #6755 @michaelbeaumont
• fix(MeshGateway): tweak route precedence to match Gateway API #6843 @michaelbeaumont
• fix(MeshGatewayInstance): don't overwrite annotations/labels in managed Service #7069 @michaelbeaumont
• fix(MeshHTTPRoute): assume default catch all path (any path starting with "/") in route match when not explicitly set #6993 @bartsmykla
• fix(MeshHTTPRoute): only configure HTTP outbounds or with an explicit matching rule #6876 @michaelbeaumont
• fix(MeshHTTPRoute): rename Prefix to PathPrefix #6578 @michaelbeaumont
• fix(MeshHTTPRoute): require at least one match #6796 @michaelbeaumont
• fix(MeshRetry): set MeshGateway retry on routes not virtual hosts #7029 @michaelbeaumont
• fix(MeshRetry): support MeshGateway #6779 @lobkovilya
• fix(MeshTimeout): only apply Mesh targeted HTTP timeouts for MeshGateway #6981 @michaelbeaumont
• fix(MeshTimeout): set idle timeout on gateways, use route action instead of hcm #6884 @michaelbeaumont
• fix(MeshTrace): create spans with MeshGateway #7043 @michaelbeaumont
• fix(api-server): service-insights should never return items: null #6648 @lahabana
• fix(config): add delta xds flag to defaults #7085 @johnharris85
• fix(gateway): don't skip retry policy with retry methods #6896 @bartsmykla
• fix(helm): change CNI priorityClass from system-cluster-critical to system-node-critical #6634 @michaelbeaumont
• fix(helm): correct appProtocol configurations for https #7087 @johnharris85
• fix(helm): update HPA API version #6792 @johnharris85
• fix(helm): use correct secret for CP CA in ingress/egress #6663 @michaelbeaumont
• fix(insights): react on events #6826 @jakubdyszkiewicz
• fix(kds): trim system namespace suffix from names of plugin originated policies when syncing resources from global to zones in multizone mode. #7019 @bartsmykla
• fix(kuma-cp): add backward compatible reading of virtual outbound from config #7088 @Automaat
• fix(kuma-cp): add missing validation for MeshTimeout #7035 @lobkovilya
• fix(kuma-cp): make finalizer tenant aware #6929 @lukidzi
• fix(kuma-cp): make store changes processing more reliable #6728 @lukidzi
• fix(kuma-cp): make zone insight context independent from parent #6909 @lukidzi
• fix(kuma-cp): race condition when proxy connects to the same CP in less than KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY #6568 @lobkovilya
• fix(kuma-cp): replace err with log when TargetRef can't be resolved #7032 @lobkovilya
• fix(kuma-cp): reset idleTimeout from the old Timeout policy #6747 @lobkovilya
• fix(kuma-cp): use port instead of target port of a headless service #7063 @jakubdyszkiewicz
• fix(kuma-cp): wait between the proxy termination and its deregistration #6533 @lobkovilya
• fix(kuma-dp): honour app content-type #6783 @AyushSenapati
• fix(kumactl): return after loading configuration from memory #6518 @lukidzi
• fix(multitenancy): global tenant in intercp when creating certs #6789 @jakubdyszkiewicz
• perf(k8s): don't reconcile all pods when a service changes #6986 @lahabana
• perf(k8s): omit fetching other dataplanes when vips are in the config map #6940 @jakubdyszkiewicz
• refactor(kds): remove unnecessary function nesting for MapZoneTokenSigningKeyGlobalToPublicKey resource mapper in kds context #7018 @bartsmykla