kumahq/kuma 2.8.0

on GitHub

We are excited to announce the latest release !

Kuma 2.8.0 comes with a new resource MeshExternalService and policy MeshPassthrough.

Notable Changes

MeshPassthrough

• A new policy allows limiting the current passthrough behavior to specific services and destinations. You can read more here

MeshExternalService

• New resource that can replace current ExternalService and mitigate it's issues. Read more here

HostnameGenerator

• New resource enabling custom hostnames for MeshExternalServices, with more functionalities coming in the future here

Upgrading

We strongly suggest upgrading to Kuma 2.8.0. Upgrading is straightforward through kumactl or Helm.

Be sure to carefully read the Upgrade Guide before upgrading Kuma.

Changelog

• chore(build): add possibility to configure extra args for shellcheck #10331 @Automaat
• chore(build): set envoy version conditionally #10538 @lukidzi
• chore(deps): bump Kong/public-shared-actions from 2.2.0 to 2.2.3 #9995 #10126 #10197 @dependabot
• chore(deps): bump actions/checkout from 4.1.2 to 4.1.7 #10036 #10123 #10195 #10263 #10521 @dependabot
• chore(deps): bump actions/create-github-app-token from 1.9.3 to 1.10.1 #10175 #10372 @dependabot
• chore(deps): bump actions/download-artifact from 4.1.4 to 4.1.7 #9993 #10122 @dependabot
• chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 #10173 @dependabot
• chore(deps): bump actions/upload-artifact from 4.3.1 to 4.3.3 #9994 #10035 #10127 @dependabot
• chore(deps): bump cloudsmith-io/action from 0.6.6 to 0.6.9 #10324 #10427 #10523 @dependabot
• chore(deps): bump debian from b37bc25 to a92ed51 #10120 #10264 #10520 @dependabot
• chore(deps): bump distroless/base-nossl-debian11 from 4cba3ac to 1dcd82e #10183 @dependabot
• chore(deps): bump envoy version from 1.29.3 to 1.30.2 #10453 @lukidzi
• chore(deps): bump github.com/cilium/ebpf from 0.14.0 to 0.15.0 #10039 @dependabot
• chore(deps): bump github.com/containernetworking/cni from 1.2.0 to 1.2.1 #10526 @dependabot
• chore(deps): bump github.com/containernetworking/plugins from 1.4.1 to 1.5.0 #10282 @dependabot
• chore(deps): bump github.com/emicklei/go-restful/v3 from 3.12.0 to 3.12.1 #10375 @dependabot
• chore(deps): bump github.com/exaring/otelpgx from 0.5.4 to 0.6.1 #10528 @dependabot
• chore(deps): bump github.com/go-logr/logr from 1.4.1 to 1.4.2 #10295 @dependabot
• chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.17.0 to 4.17.1 #10038 @dependabot
• chore(deps): bump github.com/gruntwork-io/terratest from 0.46.13 to 0.46.15 #10118 #10297 @dependabot
• chore(deps): bump github.com/jackc/pgx/v5 from 5.5.5 to 5.6.0 #10325 @dependabot
• chore(deps): bump github.com/miekg/dns from 1.1.58 to 1.1.61 #9990 #10527 @dependabot
• chore(deps): bump github.com/onsi/ginkgo/v2 from 2.17.1 to 2.19.0 #10119 #10223 #10296 #10326 @dependabot
• chore(deps): bump github.com/onsi/gomega from 1.32.0 to 1.33.1 #9991 #10180 @dependabot
• chore(deps): bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 #10226 @dependabot
• chore(deps): bump github.com/prometheus/common from 0.52.3 to 0.54.0 #9989 #10374 @dependabot
• chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 #10530 @dependabot
• chore(deps): bump github.com/testcontainers/testcontainers-go from 0.30.0 to 0.31.0 #10222 @dependabot
• chore(deps): bump github/codeql-action from 3.25.0 to 3.25.10 #9996 #10128 #10227 #10286 #10373 #10396 #10522 @dependabot
• chore(deps): bump go.opentelemetry.io/proto/otlp from 1.2.0 to 1.3.1 #10524 @dependabot
• chore(deps): bump golang.org/x/net from 0.24.0 to 0.26.0 #10225 #10398 @dependabot
• chore(deps): bump golang.org/x/sys from 0.19.0 to 0.20.0 #10181 @dependabot
• chore(deps): bump golang.org/x/text from 0.14.0 to 0.15.0 #10176 @dependabot
• chore(deps): bump golangci/golangci-lint-action from 4.0.0 to 6.0.1 #10129 #10174 #10196 @dependabot
• chore(deps): bump google.golang.org/grpc from 1.63.2 to 1.64.0 #10266 @dependabot
• chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.2 #10177 #10525 @dependabot
• chore(deps): bump kumahq/ubuntu-netools from 9eba4ba to 8675216 #10131 #10182 #10285 @dependabot
• chore(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 #10228 @dependabot
• chore(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.5 #9997 #10125 @dependabot
• chore(deps): bump postgres from 5c58707 to 46aa2ee #10041 #10132 #10221 #10284 #10514 @dependabot
• chore(deps): bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0 #10124 @dependabot
• chore(deps): bump the go-opentelemetry-io group with 9 updates #10115 #10294 @dependabot
• chore(deps): bump ubuntu from jammy-20240227 to jammy-20240530 #9987 #10121 #10184 #10413 @dependabot
• chore(deps): ignore go-control-plane updates by dependabot #10412 @bartsmykla
• chore(deps): update CNI to v1.2.0 #10101 @Icarus9913
• chore(deps): upgrade go to 1.21.11 #10401 @lukidzi
• chore(deps): use latest kumahq/kuma-gui #9978 #9980 #9985 #9998 #10001 #10009 #10010 #10043 #10044 #10052 #10053 #10060 #10061 #10062 #10064 #10092 #10093 #10105 #10108 #10111 #10112 #10135 #10136 #10143 #10187 #10188 #10190 #10198 #10199 #10201 #10210 #10213 #10231 #10232 #10240 #10242 #10249 #10262 #10269 #10281 #10283 #10289 #10292 #10302 #10305 #10307 #10310 #10311 #10423 #10424 #10425 #10429 #10431 #10432 #10450 #10456 #10465 #10473 #10479 #10493 #10505 #10536 #10556 #10596 #10603 @kumahq
• feat(Mesh*Service): validate name length #10544 @michaelbeaumont
• feat(MeshExternalService): implement a new resource #10239 #10293 #10306 #10336 #10444 #10445 #10568 #10570 #10578 #10594 @lukidzi,@slonka
• feat(MeshRetry): allow setting numRetries to 0 to disable retries #10250 @lahabana
• feat(MeshService): add events when generating from Kubernetes Service #10290 @michaelbeaumont
• feat(MeshService): add port names #10287 @michaelbeaumont
• feat(MeshService): handle headless Services #10308 @michaelbeaumont
• feat(MeshService): set kuma.io/managed-by for converted MeshServices #10481 @michaelbeaumont
• feat(MeshService): support mTLS #10403 @michaelbeaumont
• feat(MeshService): tag with headlessness, add pod-name/pod-index labels #10472 @michaelbeaumont
• feat(MeshService): use hostnames for DNS #10387 @michaelbeaumont
• feat(api-server): update policies api response structure #10428 @Icarus9913
• feat(hostnamegenerator): add display name to HostnameGenerator #10476 @slonka
• feat(hostnamegenerator): add zone and namespace variables #10533 @jakubdyszkiewicz
• feat(hostnamegenerator): apply templates to MeshServices #10362 @michaelbeaumont
• feat(hostnamegenerator): implement MeshExternalService support #10379 @lukidzi
• feat(hostnamegenerator): prevent template being empty #10548 @slonka
• feat(k8s): add kubernetes.io/hostname to default node labels to copy #10243 @slonka
• feat(k8s): opt-in to support tls for GAPI in all namespaces #10015 @jakubdyszkiewicz
• feat(kds): add a flag to avoid creating a zone on connection on kds #10298 @lahabana
• feat(kds): create first, then remove synced resources #10562 @Automaat
• feat(kds): sync mesh service status #10337 @jakubdyszkiewicz
• feat(kuma-cni): add readOnlyRootFilesystem into securityContext of the container kuma-validation #10394 @jijiechen
• feat(kuma-cp): add error type to nack metric #10013 @slonka
• feat(kuma-cp): add policy matching api for meshservice #10378 @Automaat
• feat(kuma-cp): always add kuma.io/zone label to resource #10457 @Automaat
• feat(kuma-cp): consumer policies on app's namespace #10361 @lobkovilya
• feat(kuma-dp): add function to find default CA #10367 @lukidzi
• feat(meshexternalservice): add IP allocator for meshexternalservice #10376 @lukidzi
• feat(meshpassthrough): create API and validators #10314 @lukidzi
• feat(meshpassthrough): implement new policy #10363 #10458 #10466 #10532 #10576 #10595 @lukidzi
• feat(meshservice): cross-zone connectivity #10411 @jakubdyszkiewicz
• feat(meshservice): ipam #10320 @jakubdyszkiewicz
• feat(meshservice): prefer MeshService over kuma.io/service routing #10564 @jakubdyszkiewicz
• feat(meshservice): rename protocol to appprotocol #10539 @jakubdyszkiewicz
• feat(meshservice): sync identity cross zones #10451 @jakubdyszkiewicz
• feat(meshservice): sync mesh service to other zones #10380 @jakubdyszkiewicz
• feat(report): add more info in the report #10270 @lahabana
• feat(store): update does not wipe out labels #10335 @jakubdyszkiewicz
• fix(GatewayAPI): only enqueue Gateway reconciliations from routes if parent is a Gateway #10316 @spacewander
• fix(HostnameGenerator): don't exit component on error #10392 @michaelbeaumont
• fix(Mesh*Service): rename HostnameGenerator ref name to coreName #10597 @michaelbeaumont
• fix(MeshHttpRoute): don't split header value prematurely #10191 @spacewander
• fix(MeshRoute): properly map listener TLS certs to DownstreamTlsContext #10272 @michaelbeaumont
• fix(ZoneIngress): fix no pointer panic for advertised address resolving #10475 @Icarus9913
• fix(api-server): check for tenant just before logging #10377 @michaelbeaumont
• fix(api-server): fix trace/span ID processing in logs #10100 @bartsmykla
• fix(gateway): handle implicit kuma.io/service in pod annotation #10076 @jakubdyszkiewicz
• fix(gateway): run validating webhook on MeshGatewayInstance #10330 @Icarus9913
• fix(gateway): support inlineString in TLS certificates #10159 @michaelbeaumont
• fix(gatewayapi): reconcile HTTPRoutes when relevant Services change #10192 @michaelbeaumont
• fix(gatewayapi): validate presence of all required Gateway API resources #10079 @bartsmykla
• fix(helm): don't fail when webhook doesn't exist #10098 @lahabana
• fix(helm): include GatewayClass only if installing a zone CP in Kubernetes mode #10012 @michaelbeaumont
• fix(jobs): jobs termination after CP restart #10085 @jakubdyszkiewicz
• fix(k8s): don't error if a service doesn't expose any ports we can handle #9982 @michaelbeaumont
• fix(k8s): take mesh from label of the namespace #10580 @jakubdyszkiewicz
• fix(k8s): use EndpointSlices to determine identity for Service without selectors #10134 @michaelbeaumont
• fix(k8s): virtual probes for sidecar initContainer ports also exposed by a Service #9971 @michaelbeaumont
• fix(kds): change version label for kds_clint_versions metric #10323 @Automaat
• fix(kds): clone resource on update meta #10460 @jakubdyszkiewicz
• fix(kds): fix resource name hashing on global #10452 @Automaat
• fix(kds): fix the case when webhook/db reject resource #10315 @lukidzi
• fix(kds): fix updating metric of kds client version #10312 @Automaat
• fix(kds): make error handling similar between GlobalToZoneSync and ZoneToGlobalSync #10056 @michaelbeaumont
• fix(kds): send NACK only when resource is invalid and do not retry #10480 @lukidzi
• fix(kuma-cp): allow MES / HG to only be created in SystemNamespace #10577 @lobkovilya
• fix(kuma-cp): cleanup generated egress certs #10162 @michaelbeaumont
• fix(kuma-cp): consistently check for expiring ZoneIngress/ZoneEgress certs #10160 @michaelbeaumont
• fix(kuma-cp): consistently update ZoneIngress available services #10426 @michaelbeaumont
• fix(kuma-cp): filter out old dangling zone resources in global (backport of #10245) #10268 @michaelbeaumont
• fix(kuma-cp): index generated certs by proxy type #10161 @michaelbeaumont
• fix(kuma-cp): mistakenly setting 'kuma.io/display-name' as label #10430 @lobkovilya
• fix(kuma-cp): panic on mesh delete #10604 @jakubdyszkiewicz
• fix(kuma-cp): validate the bandwidth strictly #10371 @spacewander
• fix(kuma-dp): set systemCaPath when requesting config from kuma-cp #10443 @lukidzi
• fix(kumactl): fix bad escape on regex #10420 @lahabana
• fix(meshservice): tags and selector #10535 @jakubdyszkiewicz
• fix(transparent-proxy): stop logging all to stderr when installing tproxy #10045 @bartsmykla
• fix(validation): don't prefix validation errors with spec. for core plugin resources #10543 @michaelbeaumont