kumahq/kuma 2.5.0

on GitHub

We’re excited to announce the release of Kuma 2.5, a new minor release packed with exciting features such as advanced locality-aware load balancing, auto-reachable services, and targetRef based policies becoming GA.

Upgrading

We strongly suggest upgrading to Kuma 2.5.0. Upgrading is easy through kumactl or Helm.
Be sure to carefully read the Upgrade Guide before upgrading Kuma.

Notable features:

• 🚀 Advanced locality-aware load balancing inside and across zones helps you achieve cost savings and high reliability, even in the most constrained environments.
• 🚀 Reachable services can now be derived from MeshTrafficPermissions to get performance improvements for free.
• 🚀 Support for Gateway API v1 following Gateway APIs first GA release!
• 🚀 Delta KDS is now enabled by default. This greatly reduces the resource consumption of the Global CP / Zone CP protocol.
• 🚀 Many improvements to the GUI.
• 🚀 Upgrade to Envoy 1.28.

Read the blog post for details!

Changelog

• chore(deps): bump actions/checkout from 3 to 4 #7639 @dependabot
• chore(deps): bump actions/setup-node from 3 to 4 #8109 @dependabot
• chore(deps): bump cirello.io/pglock from 1.14.0 to 1.14.1 #7914 @dependabot
• chore(deps): bump debian from b91baba to 7d3e881 #7697 #7852 #8053 @dependabot
• chore(deps): bump distroless/base-nossl-debian11 from 6579e1f to 1ae8df5 #7635 #7985 @dependabot
• chore(deps): bump distroless/static-debian11 from 312a533 to cdb2034 #7636 #7987 @dependabot
• chore(deps): bump envoy from 1.27.0 to 1.27.1 #8023 @lahabana
• chore(deps): bump github.com/cilium/ebpf from 0.11.0 to 0.12.2 #8093 @dependabot
• chore(deps): bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 #7712 @dependabot
• chore(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible #8183 @dependabot
• chore(deps): bump github.com/evanphx/json-patch/v5 from 5.6.0 to 5.7.0 #7786 @dependabot
• chore(deps): bump github.com/exaring/otelpgx from 0.5.1 to 0.5.2 #7857 @dependabot
• chore(deps): bump github.com/go-logr/logr from 1.2.4 to 1.3.0 #8184 @dependabot
• chore(deps): bump github.com/google/uuid from 1.3.0 to 1.4.0 #7609 #8188 @dependabot
• chore(deps): bump github.com/gruntwork-io/terratest from 0.43.13 to 0.46.1 #7792 #7993 #8090 @dependabot
• chore(deps): bump github.com/miekg/dns from 1.1.55 to 1.1.56 #7785 @dependabot
• chore(deps): bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.13.0 #7611 #7854 #7991 @dependabot
• chore(deps): bump github.com/onsi/gomega from 1.27.10 to 1.29.0 #7917 #8094 #8185 @dependabot
• chore(deps): bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 #7916 @dependabot
• chore(deps): bump github.com/prometheus/client_model from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0 #7992 @dependabot
• chore(deps): bump github.com/slok/go-http-metrics from 0.10.0 to 0.11.0 #8091 @dependabot
• chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.17.0 #7989 @dependabot
• chore(deps): bump github.com/testcontainers/testcontainers-go from 0.23.0 to 0.26.0 #7791 #7945 #8186 @dependabot
• chore(deps): bump github.com/tonglil/opentelemetry-go-datadog-propagator from 0.1.0 to 0.1.1 #7641 @dependabot
• chore(deps): bump go from 1.20.7 to 1.21.1 #7799 @lukidzi
• chore(deps): bump go version to 1.21.3 #8001 @slonka
• chore(deps): bump go.uber.org/zap from 1.25.0 to 1.26.0 #7789 @dependabot
• chore(deps): bump golang.org/x/net from 0.14.0 to 0.16.0 #7699 #7988 @dependabot
• chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #8034 @michaelbeaumont
• chore(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0 #7642 @dependabot
• chore(deps): bump golang.org/x/text from 0.12.0 to 0.13.0 #7640 @dependabot
• chore(deps): bump golangci-lint from v1.53.3 to v1.54.1 #7837 @michaelbeaumont
• chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.59.0 #7698 #7788 #7856 #8097 @dependabot
• chore(deps): bump helm.sh/helm/v3 from 3.12.3 to 3.13.1 #7915 #8089 @dependabot
• chore(deps): bump k8s.io/apiextensions-apiserver from v0.28.1 to v0.28.2 #7918 @michaelbeaumont
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.15.1 to 0.16.3 #7643 #7787 #8095 @dependabot
• chore(deps): bump sigs.k8s.io/gateway-api from 0.8.0-rc1 to v1.0.0 #7644 #7781 #8150 @dependabot,@michaelbeaumont
• chore(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 #8187 @dependabot
• chore(deps): bump the go-opentelemetry-io group with 3 updates #7784 #7920 @dependabot
• chore(deps): bump the go-opentelemetry-io group with 3 updates #8347 @slonka
• chore(deps): bump the go-opentelemetry-io-contrib group with 2 updates #7613 @dependabot
• chore(deps): bump the go-opentelemetry-io-otel group with 2 updates #7607 @dependabot
• chore(deps): bump the k8s-libs group with 3 updates #7606 #7790 #8088 @dependabot
• chore(deps): bump tibdex/github-app-token from 1.8.0 to 2.1.0 #7638 #7731 #7853 @dependabot
• chore(deps): bump ubuntu from ec050c3 to 2b7412e #7637 #7986 #8052 @dependabot
• chore(deps): downgrade testcontainers-go from v0.24.0 to v0.23.0 #7800 @jakubdyszkiewicz
• chore(deps): update gateway-api #8270 @michaelbeaumont
• chore(deps): update go to 1.21.4 #8341 @slonka
• chore(deps): upgrade envoy to 1.28.0 #8158 @lukidzi
• chore(deps): upgrade github.com/gruntwork-io/terratest to v0.43.13 #7706 @lukidzi
• chore(deps): use latest kumahq/kuma-gui #7603 #7604 #7605 #7612 #7614 #7617 #7619 #7620 #7622 #7626 #7627 #7628 #7629 #7631 #7646 #7647 #7648 #7650 #7653 #7658 #7659 #7689 #7700 #7710 #7713 #7721 #7727 #7729 #7730 #7732 #7733 #7738 #7739 #7749 #7750 #7754 #7755 #7766 #7777 #7779 #7795 #7797 #7798 #7802 #7804 #7806 #7811 #7812 #7822 #7866 #7867 #7899 #7900 #7902 #7935 #7953 #7966 #7973 #7979 #7980 #7983 #7984 #7996 #7998 #8009 #8010 #8041 #8045 #8048 #8049 #8057 #8059 #8061 #8074 #8080 #8083 #8085 #8104 #8115 #8118 #8120 #8126 #8145 #8146 #8147 #8201 #8207 #8210 #8213 #8214 #8215 #8217 #8219 #8220 #8221 #8232 #8236 #8238 #8239 @kumahq
• feat(ExternalService): add skip hostname verification for external services #7633 @alparslanavci
• feat(MeshLoadBalancingStrategy): new locality aware api #8082 #8112 @Automaat,@lukidzi
• feat(MeshProxyPatch): allow policy to target MeshGateway resources #8044 @bartsmykla
• feat(api-server): add /_overview for all types that have overviews #7999 #8173 @lahabana
• feat(api-server): add filtering on list external-services and dataplanes #7810 @lahabana
• feat(api-server): added query parameter to filter services by name #8154 @lukidzi
• feat(api-server): implement new Global Insight endpoint #7775 #7872 @Automaat
• feat(api-server): new inspect api #8148 @lahabana
• feat(docs): add generated openapi docs #7975 @lahabana
• feat(dp-token): allow validator to define keys not scoped to a mesh #8169 @nicoche
• feat(events): configurable buffers and predicates #7735 @jakubdyszkiewicz
• feat(gui): adds storeType index.html variable #7965 @johncowen
• feat(helm): add configurable service port for cp ingress #8263 @lahabana
• feat(helm): add loadBalancerSourceRanges on global zone sync service #7978 @slavogiez
• feat(helm): add possibility to run universal zone cp on kubernetes #7924 @Automaat
• feat(helm): add service-account features to egress and ingress #7864 @lahabana
• feat(helm): add support for controlplane deployment annotations #7959 @slavogiez
• feat(helm): allow to define service accounts annotations #7724 @lukidzi
• feat(helm): allow to disable tls-checksum generation #7955 @lukidzi
• feat(helm): minReadySeconds for control plane #7931 @jakubdyszkiewicz
• feat(insights): jitter zone insights upsert #7925 @jakubdyszkiewicz
• feat(insights): metrics of reason and result #7752 @jakubdyszkiewicz
• feat(insights): multiple workers #7778 @jakubdyszkiewicz
• feat(kds): add metrics to event based watchdog #7651 @jakubdyszkiewicz
• feat(kds): add user-agent with useful version info #7886 @lahabana
• feat(kds): allow to delay full resync when ticker #7782 @lukidzi
• feat(kds): allow to disable KDS SOTW grpc api #7961 @lukidzi
• feat(kds): better error handling #7868 @jakubdyszkiewicz
• feat(kds): compact subscriptions in insights #7962 @jakubdyszkiewicz
• feat(kds): enable delta by default #8262 @lahabana
• feat(kds): execute filters on envoy admin streams #7905 @jakubdyszkiewicz
• feat(kds): experimental event based watchdog #7624 @jakubdyszkiewicz
• feat(kds): introduce zone health checks #7821 @michaelbeaumont
• feat(kds): pass resource keys to resourceStore for delta kds #7654 @lukidzi
• feat(kds): resource sync metric #7794 @jakubdyszkiewicz
• feat(kds): response backoff #7997 @jakubdyszkiewicz
• feat(kds): use hash-suffix for KDS sync #7519 @lobkovilya
• feat(kuma-cp): add HealthCheck unary endpoint #7815 @michaelbeaumont
• feat(kuma-cp): add basedOnKuma in cp_info metric #8218 @lahabana
• feat(kuma-cp): add locality aware implementation for egress #8233 @Automaat
• feat(kuma-cp): add support for Gateway in MeshLoadBalancingStrategy #8309 @Automaat
• feat(kuma-cp): allow to disable backend validation #7901 @lukidzi
• feat(kuma-cp): make OpenTelemetry control plane tracing fully configurable #7936 @michaelbeaumont
• feat(kuma-cp): move KDS hash suffix under a feature flag #8363 @lobkovilya
• feat(kuma-dp): support setting Envoy's --component-log-level #8241 @michaelbeaumont
• feat(kumactl): support new inspect api #8192 @lahabana
• feat(rsa): add support for PKIX encoded pubkeys #8179 @nicoche
• feat(store): add owner reference to the secrets #7770 @slonka
• feat(store): added postgres index for owner columns #7625 @lukidzi
• feat(store): allow ResourceStore to be customized #7743 @bartsmykla
• feat(store): conflict metrics #7753 @jakubdyszkiewicz
• feat(store): consistent gets for read replica #7923 @jakubdyszkiewicz
• feat(store): support postgres reader replica #7763 @jakubdyszkiewicz
• feat(tenants): add extension points for sharding #7502 @jakubdyszkiewicz
• feat(transparent-proxy): add --exclude-outbound-ports-for-uids #7588 @lahabana
• feat(transparent-proxy): allow to wait for xtables lock and retry when installing tproxy fails #7870 @bartsmykla
• feat(xds): auto reachable services based on MeshTrafficPermission #8125 @jakubdyszkiewicz
• fix(MeshFaultInjection): include tags negation in header matching #8043 @bartsmykla
• fix(MeshGateway): ensure that duplicate listeners are not added when crossMesh is enabled on a listener and Routes specify hostnames #8156 @ttreptow
• fix(MeshTrafficPermission): support permissive mtls #8171 @jakubdyszkiewicz
• fix(TrafficRoute): use default value when choiceCount is 0 #7938 @lukidzi
• fix(api-server): 400 error on admin operations on not yet connected stream #8039 @slonka
• fix(api-server): always remove empty array in inspect gw api #8209 @lahabana
• fix(api-server): avoid panic when there no insight for entity #8068 @lahabana
• fix(api-server): dataplane overview pagination #7803 @jakubdyszkiewicz
• fix(api-server): empty list instead of null #7780 @jakubdyszkiewicz
• fix(api-server): improve HandleError to handle rest_errors.Error and fix Unauthenticated error handling #7818 @bartsmykla
• fix(api-server): improve error handling and return status #7937 @lahabana
• fix(core): better lifecycle when context is getting cancelled #8268 @lahabana
• fix(envoy): remove apple flag #8314 @lukidzi
• fix(gatewayapi): don't set RefNotPermitted for GAMMA routes #7771 @michaelbeaumont
• fix(gatewayapi): don't set listener ResolvedRefs based on routes ResolvedRefs #7809 @michaelbeaumont
• fix(helm): do not run webhooks on kube-system #8157 @lahabana
• fix(helm): make CNI configmap and serviceaccount support custom namespace #7956 @slavogiez
• fix(helm): use bitnami/kubectl image for helm hooks #7656 @lahabana
• fix(insights): have subscription gc also work for zoneEgress insights #7954 @lahabana
• fix(insights): improve ZoneInsight subscription management #8153 @michaelbeaumont
• fix(k8s): add namespace to deleteObjectIfExist in pod controller #8063 @slonka
• fix(k8s): don't temporarily remove all AvailableServices on ZoneIngress Pod reconciliations #8301 @slonka
• fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services #8168 @bartsmykla
• fix(kds): call CloseSend and exit a goroutine when sync fails to start #7869 @lukidzi
• fix(kds): delta delivery metric #7793 @jakubdyszkiewicz
• fix(kds): don't inc KdsGenerationErrors when context canceled #7913 @michaelbeaumont
• fix(kds): experimental watchdog concurrent map write #7630 @jakubdyszkiewicz
• fix(kds): set error when KDS clients fails in goroutine #7725 @lukidzi
• fix(kds): try returning unavailable on app context finish #8050 @slonka
• fix(kds): use deprecated method in otel #8366 @slonka
• fix(kuma-cni): support port exclusion for UIDs #8319 @lobkovilya
• fix(kuma-cp): change affinityTag field in MeshLoadBalancingStrategy t… #8294 @Automaat
• fix(kuma-cp): cleanup interval should be calculated based on "expirationTime" for hashCache #8065 @lobkovilya
• fix(kuma-cp): don't add postStart hook to builtin gateway even if waitForDataplaneReady: true #7939 @lobkovilya
• fix(kuma-cp): don't configure RBAC rules on Prometheus listener #8172 @lobkovilya
• fix(kuma-cp): fix Zone{In|E}gress sync when no mesh #8129 @bartsmykla
• fix(kuma-cp): meta validation compatible with Kubernetes naming rules #7976 @lobkovilya
• fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes #7909 @lobkovilya
• fix(kuma-cp): take proper context for resync #7805 @lukidzi
• fix(kuma-cp): use GetConsistent store when validating default mesh resources #7949 @lukidzi
• fix(kuma-cp): using policy name with "." causes hash to be inserted in the wrong place on the zone #8240 @lobkovilya
• fix(kuma-dp): advise user to check pod events when data plane rejected by webhooks #8257 @jijiechen
• fix(kuma-dp): fix build #8282 @Automaat
• fix(kuma-dp): fix incorrect dataplane name due to mangled env vars #8199 @bartsmykla
• fix(kumactl): add --mesh parameter to inspect <policy> #7696 @lahabana
• fix(observability): add annotation to make observability while running CNI work #8330 @slonka
• fix(policy): improve targetRef name and tags validation #7972 @alparslanavci
• fix(store): fix passing logs to pglock #8040 @slonka
• fix(store): use customizer for postgres ro pool #7769 @jakubdyszkiewicz
• fix(transparent-proxy): fix --wait flags for iptables legacy #8364 @bartsmykla
• fix(xds): backwards compatibility on access logs paths #7662 @jakubdyszkiewicz
• fix(xds): use stable hashes for outbound cluster names #8081 @michaelbeaumont
• perf(insights): fetch dp overviews once #7652 @jakubdyszkiewicz
• perf(insights): fetch external services once #7796 @lukidzi
• perf(insights): refresh only changed #7737 @jakubdyszkiewicz
• perf(store): postgres transactions #7995 @jakubdyszkiewicz
• perf(xds): put the Gatewaylisteners in the Proxy #8051 @lahabana