Kong Mesh Changelog

Changelog

2.9.2

Released on 2024/12/10

chore(deps): bump kumahq/kuma from 2.9.1 to 2.9.2 @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.9.2 changelog

chore(deps): bump golang from 1.23.2 to 1.23.3 #12084 @lukidzi
fix(meshpassthrough): Refactor MeshPassthrough implementation to generate correct route #12157 @kumahq
fix(meshtrafficpermission): nil pointer for autoreachableservice when no top targetRef (backport of #12152) #12161 @kumahq

2.6.14

Released on 2024/12/10

chore(deps): bump kumahq/kuma from 2.6.13 to 2.6.14 @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.6.14 changelog

chore(deps): upgrade go from 1.22.8 to 1.22.9 #12087 @lukidzi
fix(kds): clone resource on update meta (backport of #10460) #12121 @kumahq

2.7.10

Released on 2024/12/09

chore(deps): bump kumahq/kuma from 2.7.10 to 2.7.10 @kong-mesh

Includes kumahq/kuma@2.7.10 changelog

chore(deps): upgrade go from 1.22.8 to 1.22.9 #12086 @lukidzi
fix(kds): clone resource on update meta (backport of #10460) #12122 @kumahq

2.9.1

Released on 2024/11/18

chore(deps): bump kumahq/kuma from 2.9.0 to 2.9.1 @kong-mesh
chore(deps): change go-control-plane version @lukidzi
chore(deps): upgrade shadow-utils after minimal version upgrade (backport of #6942) @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh

Includes kumahq/kuma@2.9.1 changelog

chore(deps): algin forked go-control-plane version with upstream #12029 @kumahq
chore(deps): bump envoy from 1.30.6 to 1.30.7 #11958 @lukidzi
chore(deps): security update #11982 @kumahq
chore(deps): use latest kumahq/kuma-gui #11944 @kumahq
fix(cni): delegated gateway was not correctly injected (backport of #11922) #11928 @kumahq
fix(k8s): set annotation kuma.io/display-name for Secrets and Configs (backport of #11923) #11942 @kumahq
fix(kuma-cp): avoid concurrent access on resource meta (backport of #11997) #12024 @kumahq
fix(meshtimeout): don’t set default timeouts on inbound cluster and listener (backport of #12043) #12049 @kumahq

2.8.5

Released on 2024/11/18

chore(deps): bump kumahq/kuma from 2.8.4 to 2.8.5 @kong-mesh
chore(deps): upgrade shadow-utils after minimal version upgrade (backport of #6942) @kong-mesh

Includes kumahq/kuma@2.8.5 changelog

chore(deps): bump envoy from 1.30.6 to 1.30.7 #11957 @lukidzi
chore(deps): security update #11973 @kumahq
fix(k8s): set annotation kuma.io/display-name for Secrets and Configs (backport of #11923) #11943 @kumahq
fix(kuma-cp): avoid concurrent access on resource meta (backport of #11997) #12022 @kumahq

2.7.9

Released on 2024/11/18

chore(deps): bump kumahq/kuma from 2.7.8 to 2.7.9 @kong-mesh
chore(deps): upgrade shadow-utils after minimal version upgrade (backport of #6942) @kong-mesh

Includes kumahq/kuma@2.7.9 changelog

chore(deps): bump envoy from 1.29.9 to 1.29.10 #11956 @lukidzi
chore(deps): security update #11972 @kumahq
fix(k8s): set annotation kuma.io/display-name for Secrets and Configs (backport of #11923) #11941 @kumahq
fix(kuma-cp): avoid concurrent access on resource meta (backport of #11997) #12023 @kumahq
fix(store): preserve existing labels when update #11954 @kumahq

2.6.13

Released on 2024/11/18

chore(deps): bump kumahq/kuma from 2.6.12 to 2.6.13 @kong-mesh
chore(deps): upgrade shadow-utils after minimal version upgrade (backport of #6942) @kong-mesh

Includes kumahq/kuma@2.6.13 changelog

chore(deps): bump envoy from 1.28.7 to 1.29.10 #11960 @lukidzi
chore(deps): security update #11975 @kumahq
fix(k8s): set annotation kuma.io/display-name for Secrets and Configs (backport of #11923) #11940 @kumahq
fix(kuma-cp): avoid concurrent access on resource meta (backport of #11997) #12021 @kumahq
fix(store): preserve existing labels when update #11953 @kumahq

2.9.0

Released on 2024/10/22

chore(deps): bump Kong/public-shared-actions from 2.3.0 to 2.7.3 @dependabot
chore(deps): bump actions/create-github-app-token from 1.10.1 to 1.11.0 @dependabot
chore(deps): bump envoy for windows from 1.28.4 to 1.28.5 @lukidzi
chore(deps): bump envoy for windows from 1.28.5 to 1.28.7 @lukidzi
chore(deps): bump github.com/Kong/kauth-api from 1.142.0 to 1.149.0 @dependabot
chore(deps): bump github.com/Kong/shared-go/identity from 0.6.2 to 1.4.0 @dependabot
chore(deps): bump github.com/Kong/shared-go/rest from 1.13.18 to 1.15.2 @dependabot
chore(deps): bump github.com/aws/aws-sdk-go from 1.54.4 to 1.55.5 @dependabot
chore(deps): bump github.com/cert-manager/cert-manager from 1.14.5 to 1.16.1 @dependabot
chore(deps): bump github.com/docker/docker from 27.0.3+incompatible to 27.3.1+incompatible @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.47.1 to 0.47.2 @dependabot
chore(deps): bump github.com/hashicorp/vault/api from 1.14.0 to 1.15.0 @dependabot
chore(deps): bump github.com/hashicorp/vault/api/auth/aws from 0.7.0 to 0.8.0 @dependabot
chore(deps): bump github.com/hashicorp/vault/sdk from 0.13.0 to 0.14.0 @dependabot
chore(deps): bump github.com/open-policy-agent/opa-envoy-plugin from 0.67.1-envoy to 0.68.0-envoy-4 @dependabot
chore(deps): bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 @dependabot
chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.52.0 to 0.54.0 @dependabot
chore(deps): bump google.golang.org/grpc from 1.66.1 to 1.67.1 @dependabot
chore(deps): bump kumahq/kuma from 62e96b4b8a90 to 2.9.0 @kong-mesh
chore(deps): bump kumahq/ubuntu-netools from 8675216 to 4243009 @dependabot
chore(deps): bump peter-evans/create-pull-request from 6 to 7 @dependabot
chore(deps): bump the go-opentelemetry-io group with 4 updates @dependabot
chore(deps): bump the opa group with 2 updates @dependabot
chore(deps): bump ubi9-minimal from 9.4-1134 to 9.4-1227.1726694542 @dependabot
chore(deps): replace all go control plane versions @slonka
chore(deps): security update @kong-mesh
chore(deps): update go-control-plane to kumahq fork v0.13.2 @jakubdyszkiewicz
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
feat(kuma-dp): add windows deprecation notice @johnharris85

Includes kumahq/kuma@2.9.0 changelog

chore(deps): bump Kong/public-shared-actions from 2.3.0 to 2.7.3 #11139 #11218 #11263 #11310 #11518 #11598 #11696 @dependabot
chore(deps): bump coredns from v1.11.1 to v1.11.3 #11568 @michaelbeaumont
chore(deps): bump debian from 12.5 to 27586f4 #10756 #11007 #11142 #11357 #11596 @dependabot
chore(deps): bump distroless/base-nossl-debian11 from 1dcd82e to d66c60e #10823 @dependabot
chore(deps): bump distroless/static-debian11 from 459f8ab to 55716e8 #10824 @dependabot
chore(deps): bump envoy from 1.30.2 to 1.30.6 #10645 #10692 #11488 @lukidzi
chore(deps): bump github.com/Masterminds/semver/v3 from 3.2.1 to 3.3.0 #11259 @dependabot
chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.3 to 3.3.0 #11281 @dependabot
chore(deps): bump github.com/cilium/ebpf from 0.15.0 to 0.16.0 #11006 @dependabot
chore(deps): bump github.com/containernetworking/cni from 1.2.1 to 1.2.3 #10703 #10939 @dependabot
chore(deps): bump github.com/docker/docker from 27.0.3+incompatible to 27.1.1+incompatible #11012 #11084 @dependabot
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.4 to 1.1.0 #11097 @dependabot
chore(deps): bump github.com/exaring/otelpgx from 0.6.1 to 0.6.2 #10701 @dependabot
chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.17.1 to 4.18.1 #11353 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.46.15 to 0.47.2 #10700 #10899 #11282 #11677 @dependabot
chore(deps): bump github.com/jackc/pgx/v5 from 5.6.0 to 5.7.1 #11358 #11436 @dependabot
chore(deps): bump github.com/miekg/dns from 1.1.61 to 1.1.62 #11117 @dependabot
chore(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2 #10938 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.20.2 #11005 #11099 #11212 #11258 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.33.1 to 1.34.2 #11004 #11048 #11262 @dependabot
chore(deps): bump github.com/prometheus/client_golang from 1.19.1 to 1.20.4 #11119 #11215 #11352 #11522 @dependabot
chore(deps): bump github.com/prometheus/common from 0.54.0 to 0.60.0 #10702 #11260 #11313 #11356 #11681 @dependabot
chore(deps): bump github.com/sethvargo/go-retry from 0.2.4 to 0.3.0 #11046 @dependabot
chore(deps): bump github.com/slok/go-http-metrics from 0.11.0 to 0.13.0 #10037 #11354 @dependabot
chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.3.0 to 2.4.0 #11680 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.31.0 to 0.33.0 #10827 #11214 @dependabot
chore(deps): bump github.com/tonglil/opentelemetry-go-datadog-propagator from 0.1.2 to 0.1.3 #10699 @dependabot
chore(deps): bump github.com/vishvananda/netlink from 1.2.1-beta.2 to 1.3.0 #11213 @dependabot
chore(deps): bump go from 1.22.7 to 1.23.2 #11363 #11631 @michaelbeaumont,@slonka
chore(deps): bump golang.org/x/net from 0.26.0 to 0.30.0 #10826 #11096 #11355 #11683 @dependabot
chore(deps): bump golang.org/x/sys from 0.21.0 to 0.26.0 #10825 #11047 #11098 #11314 #11679 @dependabot
chore(deps): bump golang.org/x/text from 0.16.0 to 0.19.0 #11100 #11315 #11678 @dependabot
chore(deps): bump gonum.org/v1/gonum from 0.15.0 to 0.15.1 #11138 @dependabot
chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.67.0 #10758 #11521 @dependabot
chore(deps): bump google.golang.org/protobuf from 1.34.2 to 1.35.1 #11699 @dependabot
chore(deps): bump helm.sh/helm/v3 from 3.14.4 to 3.16.1 #10531 #10898 #11118 #11435 @dependabot
chore(deps): bump kumahq/ubuntu-netools from 8675216 to 4243009 #10704 @dependabot
chore(deps): bump postgres from 46aa2ee to 4ec37d2 #10755 #11008 #11101 #11136 #11351 #11600 @dependabot
chore(deps): bump sigs.k8s.io/controller-tools from 0.16.1 to 0.16.2 #11280 @dependabot
chore(deps): bump sigs.k8s.io/gateway-api from 1.1.0 to 1.2.0 #11676 @dependabot
chore(deps): bump the go-opentelemetry-io group across 1 directory with 9 updates #10767 @dependabot
chore(deps): bump the go-opentelemetry-io group with 9 updates #11211 #11433 @dependabot
chore(deps): bump the k8s-libs group across 1 directory with 10 updates #10759 @dependabot
chore(deps): bump the k8s-libs group with 5 updates #10937 @dependabot
chore(deps): bump the k8s-libs group with 6 updates #11432 @dependabot
chore(deps): bump the k8s-libs group with 8 updates #11137 @dependabot
chore(deps): bump ubuntu from jammy-20240530 to jammy-20240808 #11141 @dependabot
chore(deps): security update #11331 @kumahq
chore(deps): use latest kumahq/kuma-gui #10587 #10627 #10629 #10632 #10633 #10635 #10636 #10644 #10647 #10650 #10666 #10673 #10674 #10687 #10718 #10720 #10727 #10795 #10797 #10838 #10840 #10843 #10846 #10861 #10881 #10895 #10902 #10909 #10911 #10912 #10950 #10967 #10971 #10985 #10986 #11011 #11015 #11016 #11030 #11243 #11269 #11271 #11290 #11291 #11295 #11299 #11303 #11306 #11320 #11340 #11366 #11368 #11370 #11374 #11376 #11411 #11419 #11446 #11451 #11453 #11454 #11480 #11495 #11530 #11535 #11536 #11559 #11577 #11580 #11594 #11595 #11603 #11622 #11647 #11751 @kumahq
feat(GatewayAPI): support port in parentRef #10828 @michaelbeaumont
feat(HostnameGenerator): automatically create default generators #11017 @jakubdyszkiewicz
feat(Mesh*Route): require port with MeshMultiZoneService backends #11479 @michaelbeaumont
feat(Mesh*Service): add first hostname as kubectl column #11714 @michaelbeaumont
feat(MeshExternalService): added option to disable allow-all RBAC #11073 @lukidzi
feat(MeshMultiZoneService): add support to MeshCircuitBreaker, MeshAccessLog, MeshHealthCheck, MeshRetry #11322 @michaelbeaumont
feat(MeshMultiZoneService): support as target #11205 @michaelbeaumont
feat(MeshMultizoneService): support multizone deployments of mesh services. #10643 #10648 #10667 #10683 #10883 #10984 @jakubdyszkiewicz
feat(MeshService): add Mesh.MeshServices.Enabled to control behavior #11279 @michaelbeaumont
feat(MeshService): add event to the Service that an unsupported port is being ignored #11033 @michaelbeaumont
feat(MeshService): add grace period before deleting generated MeshServices on universal #11018 @michaelbeaumont
feat(MeshService): automatically add port name when generating #11210 @michaelbeaumont
feat(MeshService): create different clusters for real MeshServices #11251 @michaelbeaumont
feat(MeshService): disable available services on disabled vips #10612 @jakubdyszkiewicz
feat(MeshService): generate MeshService from Dataplanes on universal #10917 @michaelbeaumont
feat(MeshService): mitigate and handle resource conflicts #11385 @jakubdyszkiewicz
feat(MeshService): permissive mtls #10929 @jakubdyszkiewicz
feat(MeshService): proxies stats and state #10970 @jakubdyszkiewicz
feat(MeshTimeout): support MeshMultiZoneService #11206 @michaelbeaumont
feat(api-server): extend Inspect API with new ResourceRules #11040 @Automaat
feat(autoreachableservices): support kuma.io/service in mesh subset #11244 @jakubdyszkiewicz
feat(helm): add possibility to configure env vars with value form referenced field #10716 @Automaat
feat(insights): add resources to global insights #11216 @jakubdyszkiewicz
feat(insights): count new services as resources #11083 @jakubdyszkiewicz
feat(kds): remove kds v1 #10946 @Icarus9913
feat(kuma-cp): add backendRef indexes to rules #11175 @lobkovilya
feat(kuma-cp): add possibility to omit top level targetRef in policies #11321 @Automaat
feat(kuma-cp): add resource owner to resources in ResourceSet #11043 @Automaat
feat(kuma-cp): don’t trace intercp pings #10936 @michaelbeaumont
feat(kuma-cp): exit with 0 when kubernetes leader election is lost #11106 @michaelbeaumont
feat(kuma-cp): introduce ResourceRules #10886 @lobkovilya
feat(kuma-cp): make loggers naming from xds package consistent #10965 @Automaat
feat(kuma-cp): resolve labels for backendref #11360 @jakubdyszkiewicz
feat(kuma-cp): set kuma.io/env label #11053 @michaelbeaumont
feat(kuma-cp): set kuma.io/mesh label using ComputeLabels func #11104 @lobkovilya
feat(kuma-cp): set kuma.io/mesh on universal resource labels #11037 @michaelbeaumont
feat(kuma-cp): standarize cluster name for Mesh*Service #11398 @lukidzi
feat(kuma-cp): support producer policy flow #11308 @lobkovilya
feat(kuma-cp): use ResourceIdentifier in MeshContext structs #11203 @lobkovilya
feat(kuma-dp): respond probes of kuma-sidecar from kuma-dp process instead of Envoy #11107 @jijiechen
feat(kuma-dp): support TCP and gRPC probes for data planes running on Kubernetes #10624 @jijiechen
feat(kumactl): add no-dataplanes profile and skip secrets when exporting #10964 @lahabana
feat(kumactl): add server info when doing export #10914 @lahabana
feat(meshexternalservice): make egress optional on the mesh to pass the traffic of mesh external service through egress. #11445 @jakubdyszkiewicz
feat(meshexternalservice): remove MeshTrafficPermission support for MeshExternalService and allow traffic when using egress #11075 @lukidzi
feat(meshexternalservice): remove unix support #11350 @slonka
feat(meshexternalservice): route traffic through egress only #11080 @lukidzi
feat(meshexternalservice): support MeshExternalService in MeshGateway and MeshHTTPRoute #11383 @slonka
feat(meshexternalservice): use common protocol field #11378 @slonka
feat(meshloadbalancingstrategy): support for multizoneservice #11276 @jakubdyszkiewicz
feat(meshpassthrough): add support for delegated gateway #10675 @lukidzi
feat(meshtls): implement policy for granular mtls configuration #11229 #11233 #11254 #11437 #11447 #11468 #11469 @lukidzi,@slonka
feat(observability): default installation with exclusive mesh services #11452 @jakubdyszkiewicz
feat(policy): implicitly reference MeshService objects with kuma.io/service #11230 @michaelbeaumont
feat(policy): support targeting real MeshExternalService in MeshAccessLog, MeshCircuitBreaker, MeshHTTPRoute, MeshHealthCheck, MeshLoadBalancingStrategy, MeshRetry, MeshTCPRoute, MeshTimeout #11162 #11163 #11220 #11231 #11232 #11236 #11272 #11273 @lukidzi
feat(policy): support targeting real MeshService in MeshAccessLog, MeshCircuitBreaker, MeshHTTPRoute, MeshHealthCheck, MeshRetry, MeshTCPRoute, MeshTimeout #11060 #11063 #11068 #11070 #11154 #11161 #11222 @Automaat
feat(reachableservices): support defining reachable services for MeshService and MeshExternalService #10869 @lukidzi
feat(transparent-proxy): add comments to tproxy iptables rules #10809 #10811 @bartsmykla
feat(transparent-proxy): add iptables logging with new flag and annotation #10743 @bartsmykla
feat(transparent-proxy): add option to exclude inbound ip addresses from transparent proxy #10884 @bartsmykla
feat(transparent-proxy): add option to exclude ip addresses from outbound redirection #10867 @bartsmykla
feat(transparent-proxy): add option to uninstall transparent proxy #10890 @bartsmykla
feat(transparent-proxy): allow --kuma-dp-user to accept UIDs and deprecate --kuma-dp-uid flag #10920 @bartsmykla
feat(transparent-proxy): allow configure transparent proxy from config file #11089 #11403 @bartsmykla
feat(transparent-proxy): allow insert instead of append redirect rules #11267 @bartsmykla
feat(transparent-proxy): enforce root privileges for (un)install commands #11166 @bartsmykla
feat(transparent-proxy): handle option to drop invalid packets #10676 @bartsmykla
feat(transparent-proxy): improve the way identifying/locating iptables binaries #11207 #11277 @bartsmykla
feat(transparent-proxy): improve the way picking iptables executables/binaries #11165 #11302 @bartsmykla
feat(transparent-proxy): remove deprecated flags and annotations for outbound port exclusions for UIDs #10983 @bartsmykla
feat(transparent-proxy): remove deprecated redirect inbound port IPv6 #10906 @bartsmykla
fix(HostnameGenerator): fix issues syncing HostnameGenerator policies from global CP to zone CPs #11062 @jakubdyszkiewicz
fix(HostnameGenerator): selectors validation and matching #10688 @jakubdyszkiewicz
fix(HostnameGenerator): sort resources before generating hostnames #11010 @michaelbeaumont
fix(MeshAccessLog): strengthen validation for MeshAccessLog and MeshGateway #11560 @michaelbeaumont
fix(MeshGateway): apply policies to clusters from real backendRefs #11531 @michaelbeaumont
fix(MeshGateway): handle unresolved real backendRefs #11461 @michaelbeaumont
fix(MeshGateway): prevent duplicate virtual hosts #10866 @michaelbeaumont
fix(MeshLoadBalancingStrategy): apply to real resource targeted policies with MeshGateway #11582 @michaelbeaumont
fix(MeshLoadBalancingStrategy): only allow loadBalancer with MeshGateway and to.targetRef.kind: Mesh #11563 @michaelbeaumont
fix(MeshPassthrough): Route / as a prefix instead of the whole path #11204 @michaelbeaumont
fix(MeshService): add port name when converting from Service #10638 @michaelbeaumont
fix(MeshService): don’t duplicate headless service VIPs #10682 @michaelbeaumont
fix(MeshService): don’t exclude kuma.io/service if using reachableBackends #11301 @michaelbeaumont
fix(MeshService): don’t skip endpoints for headless #10684 @michaelbeaumont
fix(MeshService): don’t skip endpoints for headless with ZoneIngress #10735 @michaelbeaumont
fix(MeshService): don’t sync deletion grace period label #11064 @michaelbeaumont
fix(MeshService): limit display name to 63 characters #10719 @michaelbeaumont
fix(api): when resource has origin zone assume is local #11766 @lukidzi
fix(api-server): make clearer error messages for “method not allowed” errors on the global CP #11069 @michaelbeaumont
fix(autoreachableservices): do not filter out MeshMultiZoneService #11747 @lukidzi
fix(cni): set proper namespace for the taint controller #10651 @slonka
fix(cni): set proper namespace for the taint controller (backport of #10651) #10662 @kumahq
fix(e2e): loosen up assertion on traffic route test #11764 @Automaat
fix(egress): same external service tag in multiple meshes #11667 @jakubdyszkiewicz
fix(federation): export mesh secrets before Mesh objects #11497 @michaelbeaumont
fix(federation): set skipCreatingInitialPolicies on exported Meshes #11501 @michaelbeaumont
fix(injector): set allowPrivilegeEscalation: false on kuma-validation container #11178 @voidlily
fix(inspect-api): add missing resources to BaseMeshContext #11482 @lobkovilya
fix(inspect-api): added check if dpp is affected by zone policy #11425 @lukidzi
fix(inspect-api): amend openapi types for arbitrary objects #11515 @johncowen
fix(inspect-api): correct resource types in the inspect API to types of the policy, not the type of targetRef #11438 @lobkovilya
fix(inspect-api): don’t panic when outbound doesn’t have ‘kuma.io/service’ tag #11613 @lobkovilya
fix(inspect-api): don’t set ‘toRules’ when meshServices.mode: Exclusive #11623 @lobkovilya
fix(inspect-api): make conf an array of unknown structs in OpenAPI spec #11528 @johncowen
fix(k8s): always authenticate with latest service account token #11399 @michaelbeaumont
fix(k8s): avoid nil TargetRef pointer dereference (backport of #10746) #10763 @kumahq
fix(k8s): avoid nil TargetRef pointer dereference in pod controller #10746 @czeslavo
fix(k8s): check if labels has changed when reconciling #11758 @lukidzi
fix(k8s): reenable deep copies when interacting with k8s resources #10561 @michaelbeaumont
fix(kds): do not log an error when context cancelled #10923 @lukidzi
fix(kuma-cp): Global Inspect API returns incorrect list of affected gateways dataplanes #11790 @lobkovilya
fix(kuma-cp): add labels to dataplane object on universal #11449 @lukidzi
fix(kuma-cp): allow specifying namespace when targeting MeshExternalService in policies #11474 @Automaat
fix(kuma-cp): check if zone is online before forwarding request #10919 @lukidzi
fix(kuma-cp): consumer scoped policies should be applied only on dpps from the same namespace #11300 @Automaat
fix(kuma-cp): couldn’t use to[].targetRef: Mesh on non-federated zones #11428 @lobkovilya
fix(kuma-cp): deprecate use kuma.io/mesh annotation and use label instead #11690 @lukidzi
fix(kuma-cp): do not sync policies with empty topLevel targetRef to zones that does not support it #11457 @Automaat
fix(kuma-cp): don’t add namespace labels when resource was synced from universal zone #10913 #11020 @Automaat
fix(kuma-cp): don’t allow namespace-scoped policies with ‘to’ and ‘from’ arrays at the same time #11750 @lobkovilya
fix(kuma-cp): don’t override owner and creation time Create opts #11009 @michaelbeaumont
fix(kuma-cp): don’t wait before ticking the first time in watchdog #11105 @michaelbeaumont
fix(kuma-cp): fix conn closed error on transaction rollback #10665 @Automaat
fix(kuma-cp): handle cases when requested BackendRefIdentifier contains ports #11278 @lobkovilya
fix(kuma-cp): map port to section name for reachable backends #11736 @lukidzi
fix(kuma-cp): paginate Secrets correctly in universal #10954 @michaelbeaumont
fix(kuma-cp): panic when DPP uses outbounds with ‘backendRef.Labels’ and no meshservices were matched #11604 @lobkovilya
fix(kuma-cp): pass future meta to Validate when creating a resource #10927 @michaelbeaumont
fix(kuma-cp): properly match policies to gateway when calling _rules endpoint #11504 @Automaat
fix(kuma-cp): remove automatically created MeshServices when mode is switched to Disabled #11675 @lobkovilya
fix(kuma-cp): resources that were created on 2.7.x are missing namespace labels when synced on global #11794 @lobkovilya
fix(kuma-cp): use contexts instead of channels in watchdog #11110 @lahabana
fix(kuma-cp): validation for explicit DPP outbounds with BackendRef #11415 @lobkovilya
fix(kuma-dp): don’t fail if envoy version is not semver #11095 @lahabana
fix(kumactl): fix flag in information banner for kumactl generate tls-certificate #11318 @f100024
fix(kumactl): remove service in prometheus config #10969 @lahabana
fix(kumactl): support empty docs in in kumactl apply #10951 @lahabana
fix(mads): add mutex when checking if reconcile is needed and reconciling #11578 @lobkovilya
fix(meshexternalservice): allow defining only name or labels #11502 @lukidzi
fix(meshexternalservice): generate correct sni for sidecar and egress #11382 @lukidzi
fix(meshexternalservice): map from/to policy to resource rule for Egress #11384 @lukidzi
fix(meshgateway): do not override annotations from deployment #10698 @Automaat
fix(meshgatewayinstance): remove required since we generate serviceName #11151 @lukidzi
fix(meshhttproute): deref pointer to weight or use default 1 #11051 @lukidzi
fix(meshmetric): add missing timestamp in mapper #10966 @slonka
fix(meshmultizoneservice): order of matched mesh services #11475 @jakubdyszkiewicz
fix(meshpassthrough): do not require port #10941 @lukidzi
fix(meshpassthrough): don’t remove all filters chains #11540 @lukidzi
fix(meshservice): do not wipe out identities of synced service #10655 @jakubdyszkiewicz
fix(meshservice): permissive mTLS of synced services #11749 @jakubdyszkiewicz
fix(meshservice): use only labels to index services #11450 @jakubdyszkiewicz
fix(observability): use internal and external requests in outgoing status code panel #10974 @michaelbeaumont
fix(policy): don’t fail once cannot map MeshExternalService to tags rules #11155 @lukidzi
fix(policy): verify zone if dpp origin is zone and metadata exists #11462 @lukidzi
fix(resourcerules): add own mesh to the MeshContext, so it could be successfully resolved #11525 @lobkovilya
fix(transparent-proxy): avoid mounting xtables.lock for newer versions of legacy iptables #11113 @bartsmykla
fix(transparent-proxy): check DNS related CLI flags earlier #11402 @bartsmykla
fix(transparent-proxy): conntrack zone splitting in docker containers with custom network #11684 @bartsmykla
fix(transparent-proxy): enable kuma.io/transparent-proxying-ip-family-mode annotation per pod #10905 @bartsmykla
fix(transparent-proxy): fix IPv6 iptables rules when no IPv6 DNS servers #10800 @bartsmykla
fix(transparent-proxy): fix pod delay when CNI on GKE with OS Login #11050 @bartsmykla
fix(transparent-proxy): refactor and make validation to work on IPv6 #11395 @bartsmykla
fix(utils): enhance the logic to check if a channel is closed #10894 @sjmshsh
fix(xds): accelerate universal dp XDS generation #11180 @Icarus9913
fix(xds): explicitly set initial fetch timeout to zero to keep Envoy wait for xds resources #11024 @jijiechen
fix(xds): make sure ADS are ordered #11579 @jakubdyszkiewicz
fix(xds): resolve eds deadlock introduced by initial fetch timeout #11602 @jakubdyszkiewicz
perf(k8s): do not update resource on control-plane restart #11327 @lukidzi
perf(kuma-cp): faster service to dpp matching #10628 @jakubdyszkiewicz
revert(kuma-cp): do not use additional addresses #11601 @lukidzi

2.8.4

Released on 2024/10/08

chore(deps): bump kumahq/kuma from 2.8.3 to 2.8.4 @kong-mesh
chore(deps): security update @kong-mesh
chore(deps): upgrade envoy for windows to 1.28.7 @lukidzi

Includes kumahq/kuma@2.8.4 changelog

chore(deps): bump coredns from v1.11.1 to v1.11.3 #11574 @kumahq
chore(deps): bump golang from 1.22.7 to 1.22.8 #11630 @Icarus9913
chore(deps): security update #11330 @kumahq
chore(deps): upgrade envoy to 1.30.6 #11487 @lukidzi
fix(MeshTrace): invalid sampling default values (backport of #11548) #11551 @kumahq
fix(egress): same external service tag in multiple meshes (backport of #11667) #11671 @kumahq
fix(meshgateway): do not override annotations from deployment (backport of #10698) #11616 @kumahq
fix(xds): eds deadlock on initial fetch timeout (backport of #11602) #11606 @kumahq
revert(kuma-cp): do not use additional addresses (backport of #11601) #11609 @kumahq

2.7.8

Released on 2024/10/08

chore(deps): bump kumahq/kuma from 2.7.7 to 2.7.8 @kong-mesh
chore(deps): security update @kong-mesh
chore(deps): upgrade envoy for windows to 1.28.7 @lukidzi

Includes kumahq/kuma@2.7.8 changelog

chore(deps): bump coredns from v1.11.1 to v1.11.3 #11575 @kumahq
chore(deps): bump golang from 1.22.7 to 1.22.8 #11629 @Icarus9913
chore(deps): security update #11329 @kumahq
chore(deps): upgrade envoy to 1.29.9 #11486 @lukidzi
fix(MeshTrace): invalid sampling default values (backport of #11548) #11552 @kumahq
fix(egress): same external service tag in multiple meshes (backport of #11667) #11670 @kumahq
fix(meshgateway): do not override annotations from deployment (backport of #10698) #11618 @kumahq
fix(xds): eds deadlock on initial fetch timeout (backport of #11602) #11605 @kumahq
revert(kuma-cp): do not use additional addresses (backport of #11601) #11612 @kumahq

2.6.12

Released on 2024/10/08

chore(deps): bump kumahq/kuma from 2.6.11 to 2.6.12 @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.6.12 changelog

chore(deps): bump coredns from v1.11.1 to v1.11.3 #11576 @kumahq
chore(deps): bump golang from 1.22.7 to 1.22.8 #11628 @Icarus9913
chore(deps): security update #11333 @kumahq
chore(deps): upgrade envoy to 1.28.7 #11485 @lukidzi
fix(MeshTrace): invalid sampling default values (backport of #11548) #11553 @kumahq
fix(egress): same external service tag in multiple meshes (backport of #11667) #11669 @kumahq
fix(meshgateway): do not override annotations from deployment (backport of #10698) #11619 @kumahq
fix(xds): eds deadlock on initial fetch timeout (backport of #11602) #11607 @kumahq
revert(kuma-cp): do not use additional addresses (backport of #11601) #11611 @kumahq

2.5.11

Released on 2024/10/08

chore(deps): bump kumahq/kuma from 2.5.10 to 2.5.11 @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.5.11 changelog

chore(deps): bump coredns from v1.11.1 to v1.11.3 #11573 @kumahq
chore(deps): bump golang from 1.22.7 to 1.22.8 #11627 @Icarus9913
chore(deps): security update #11332 @kumahq
chore(deps): upgrade envoy to 1.28.7 #11484 @lukidzi
fix(egress): same external service tag in multiple meshes (backport of #11667) #11668 @kumahq
fix(meshgateway): do not override annotations from deployment (backport of #10698) #11617 @kumahq
fix(xds): eds deadlock on initial fetch timeout (backport of #11602) #11608 @kumahq

2.8.3

Released on 2024/09/04

chore(deps): bump kumahq/kuma from ffb0a135b832 to 2.8.3 @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.8.3 changelog

chore(deps): bump Kong/public-shared-actions from 2.3.0 to 2.4.0 #11147 @kumahq
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.31.0 to 0.32.0 #11158 @kumahq
chore(deps): security update #11199 @kumahq
feat(kuma-dp): respond probes of kuma-sidecar from kuma-dp process instead of Envoy (backport of #11107) #11238 @kumahq
fix(kuma-cp): paginate Secrets correctly in universal (backport of #10954) #10959 @kumahq
fix(meshhttproute): deref pointer to weight or use default 1 (backport of #11051) #11130 @kumahq
fix(meshmetric): add missing timestamp in mapper (backport of #10966) #10980 @kumahq
fix(xds): explicitly set initial fetch timeout to zero to keep Envoy wait for xds resources (backport of #11024) #11025 @kumahq

2.7.7

Released on 2024/09/03

chore(deps): bump kumahq/kuma from 90b2732876d1 to 2.7.7 @kong-mesh
chore(deps): downgrade envoy for windows to 1.28.5 @lukidzi

Includes kumahq/kuma@2.7.7 changelog

chore(deps): bump Kong/public-shared-actions from 2.3.0 to 2.4.0 #11150 @kumahq
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.31.0 to 0.32.0 #11156 @kumahq
chore(deps): security update #11198 @kumahq
feat(kuma-dp): respond probes of kuma-sidecar from kuma-dp process instead of Envoy (backport of #11107) #11242 @kumahq
fix(kuma-cp): paginate Secrets correctly in universal (backport of #10954) #10958 @kumahq
fix(meshhttproute): deref pointer to weight or use default 1 (backport of #11051) #11129 @kumahq
fix(meshmetric): add missing timestamp in mapper (backport of #10966) #10978 @kumahq
fix(xds): explicitly set initial fetch timeout to zero to keep Envoy wait for xds resources (backport of #11024) #11026 @kumahq

2.6.11

Released on 2024/09/03

chore(deps): bump kumahq/kuma from fbafe3de5ac5 to 2.6.11 @kong-mesh

Includes kumahq/kuma@2.6.11 changelog

chore(deps): security update #11200 @kumahq
feat(kuma-dp): respond probes of kuma-sidecar from kuma-dp process instead of Envoy #11241 @kumahq
fix(kuma-cp): paginate Secrets correctly in universal (backport of #10954) #10955 @kumahq
fix(meshhttproute): deref pointer to weight or use default 1 (backport of #11051) #11127 @kumahq
fix(meshmetric): add missing timestamp in mapper (backport of #10966) #10977 @kumahq
fix(xds): explicitly set initial fetch timeout to zero to keep Envoy wait for xds resources (backport of #11024) #11028 @kumahq

2.5.10

Released on 2024/09/03

chore(deps): bump kumahq/kuma from fab8179dfe37 to 2.5.10 @kong-mesh

Includes kumahq/kuma@2.5.10 changelog

chore(deps): security update #11196 @kumahq
feat(kuma-dp): respond probes of kuma-sidecar from kuma-dp process instead of Envoy #11239 @kumahq
fix(kuma-cp): paginate Secrets correctly in universal (backport of #10954) #10957 @kumahq
fix(xds): explicitly set initial fetch timeout to zero to keep Envoy wait for xds resources (backport of #11024) #11029 @kumahq

2.6.10

Released on 2024/07/25

chore(deps): bump kumahq/kuma from e28b7339e639 to fbafe3de5 @kong-mesh

Includes kumahq/kuma@2.6.10 changelog

chore(deps): update go to 1.22.5 (backport of #10096) #10853 @kumahq
chore(deps): upgrade envoy with DNS fix #10932 @michaelbeaumont
fix(transparent-proxy): allow iptables executables without mode #10793 @bartsmykla

2.5.9

Released on 2024/07/25

chore(deps): bump kumahq/kuma from e39c5430659a to fab8179df @kong-mesh

Includes kumahq/kuma@2.5.9 changelog

chore(deps): update go to 1.22.5 and kube controller-tools to v0.14.0 (backport of #10096) #10854 @kumahq
chore(deps): upgrade envoy with DNS fix #10931 @michaelbeaumont
fix(transparent-proxy): allow iptables executable without mode #10794 @bartsmykla

2.4.10

Released on 2024/07/25

chore(deps): bump kumahq/kuma from 124fc3eb91b0 to fde462d37 @kong-mesh

Includes kumahq/kuma@2.4.10 changelog

chore(deps): update go to 1.22.5 (backport of #10096) #10855 @kumahq
chore(deps): upgrade envoy with DNS fix #10930 @michaelbeaumont

2.8.2

Released on 2024/07/24

chore(deps): bump kumahq/kuma from c3a2cada28e3 to ffb0a135b @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.8.2 changelog

chore(deps): update go to 1.22.5 (backport of #10096) #10856 @kumahq
chore(deps): upgrade envoy with DNS fix #10934 @michaelbeaumont
fix(k8s): avoid nil TargetRef pointer dereference (backport of #10746) #10763 @kumahq

2.7.6

Released on 2024/07/24

chore(deps): bump kumahq/kuma from bab1af2f8583 to 90b273287 @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.7.6 changelog

chore(deps): update go to 1.22.5 (backport of #10096) #10857 @kumahq
chore(deps): upgrade envoy with DNS fix #10933 @michaelbeaumont
fix(transparent-proxy): allow iptables executables without mode #10792 @bartsmykla

2.6.9

Released on 2024/07/05

chore(deps): bump kumahq/kuma from 498d86f27ece to e28b7339e @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.6.9 changelog

chore(deps): upgrade envoy to 1.28.5 #10685 @lukidzi
fix(cni): set proper namespace for the taint controller (backport of #10651) #10659 @kumahq

2.5.8

Released on 2024/07/05

chore(deps): bump kumahq/kuma from 2a7e5013eb2c to e39c54306 @kong-mesh
chore(deps): security update @kong-mesh
fix(kuma-cp): downgrade go-control-plane to mitigate potential deadlock (backport of #6094) @kong-mesh
fix(license): don’t fail if we ever saw a valid license (backport of #5968) @kong-mesh
fix(ubi): upgrade from non-existent iptables-nft version (backport of #5910) @kong-mesh
fix(kuma-cp): fixed an issue that breaks license propagation from the global control plane to zone control planes

Includes kumahq/kuma@2.5.8 changelog

chore(deps): upgrade envoy to 1.28.5 #10686 @lukidzi
chore(deps): upgrade go to 1.21.11 (backport of #10401) #10406 @kumahq
chore(deps): use latest kumahq/kuma-gui #10066 #10090 @kumahq
fix(cni): set proper namespace for the taint controller (backport of #10651) #10663 @kumahq
fix(gatewayapi): validate presence of all required Gateway API resources (backport of #10079) #10080 @kumahq
fix(jobs): jobs termination after CP restart (backport of #10085) #10088 @kumahq
fix(kds): fix retry on NACK and add backoff (backport of #9736) #9858 @kumahq
fix(kds): fix the case when webhook/db reject resource (backport of #10315) #10352 @kumahq
fix(kuma-cp): consistently check for expiring ZoneIngress/ZoneEgress certs (backport of #10160, #10162, #10161) #10166 @kumahq
fix(transparent-proxy): stop logging all to stderr when installing tproxy (backport of #10045) #10050 @kumahq

2.4.9

Released on 2024/07/05

chore(deps): bump kumahq/kuma from 304050ffd4f5 to 124fc3eb9 @kong-mesh
chore(deps): security update @kong-mesh
fix(license): don’t fail if we ever saw a valid license (backport of #5968) @kong-mesh
fix(ubi): upgrade from non-existent iptables-nft version (backport of #5910) @kong-mesh

Includes kumahq/kuma@2.4.9 changelog

chore(deps): upgrade envoy to 1.27.7 #10690 @lukidzi
chore(deps): upgrade go from 1.21.10 to 1.21.11 (backport of #10401) #10407 @kumahq
fix(cni): set proper namespace for the taint controller (backport of #10651) #10660 @kumahq
fix(gatewayapi): validate presence of all required Gateway API resources (backport of #10079) #10081 @kumahq
fix(kuma-cp): consistently check for expiring ZoneIngress/ZoneEgress certs (backport of #10160, #10162, #10161) #10170 @kumahq
fix(jobs): jobs termination after CP restart (backport of https://github.com/kumahq/kuma/pull/10085) https://github.com/kumahq/kuma/pull/10087 @kumahq

2.8.1

Released on 2024/07/04

chore(deps): bump kumahq/kuma from 1110a0305eec to c3a2cada2 @kong-mesh
chore(deps): upgrade envoy to 1.28.5 for windows @lukidzi
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh

Includes kumahq/kuma@2.8.1 changelog

chore(deps): upgrade envoy to 1.30.3 #10645 @lukidzi
chore(deps): upgrade envoy to 1.30.4 #10692 @lukidzi
chore(deps): use latest kumahq/kuma-gui #10647 @kumahq
fix(cni): set proper namespace for the taint controller (backport of #10651) #10662 @kumahq
fix(hostnamegenerator): selectors validation and matching #10688 @jakubdyszkiewicz
fix(meshservice): do not wipe out identities of synced service #10655 @jakubdyszkiewicz

2.7.5

Released on 2024/07/04

chore(deps): bump kumahq/kuma from f19b85337222 to bab1af2f8 @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.7.5 changelog

chore(deps): bump envoy from 1.29.5 to 1.29.7 #10641 #10691 @lukidzi
fix(cni): set proper namespace for the taint controller (backport of #10651) #10661 @kumahq

2.8.0

Released on 2024/06/24

chore(deps): bump Kong/public-shared-actions from 2.1.0 to 2.3.0 @dependabot
chore(deps): bump actions/create-github-app-token from 1.9.3 to 1.10.1 @dependabot
chore(deps): bump actions/create-github-app-token to 1.10.0 in sync_ci.sh @michaelbeaumont
chore(deps): bump github.com/Kong/kauth-api from 1.139.0 to 1.142.0 @dependabot
chore(deps): bump github.com/Kong/shared-go/kauth from 1.4.54 to 1.4.85 @dependabot
chore(deps): bump github.com/Kong/shared-go/rest from 1.13.2 to 1.13.17 @dependabot
chore(deps): bump github.com/aws/aws-sdk-go from 1.50.12 to 1.53.21 @dependabot
chore(deps): bump github.com/cert-manager/cert-manager from 1.14.1 to 1.14.5 @dependabot
chore(deps): bump github.com/docker/docker from 25.0.5+incompatible to 26.1.4+incompatible @dependabot
chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 @dependabot
chore(deps): bump github.com/hashicorp/vault/api from 1.11.0 to 1.14.0 @dependabot
chore(deps): bump github.com/hashicorp/vault/api/auth/aws from 0.5.0 to 0.7.0 @dependabot
chore(deps): bump github.com/hashicorp/vault/sdk from 0.10.2 to 0.13.0 @dependabot
chore(deps): bump github.com/yalue/merged_fs from 1.2.3 to 1.3.0 @dependabot
chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.49.0 to 0.52.0 @dependabot
chore(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 @dependabot
chore(deps): bump kumahq/kuma from 396f0a557853 to 17e4c2097 @jakubdyszkiewicz,@kong-mesh,@lahabana
chore(deps): bump kumahq/ubuntu-netools from 9eba4ba to 8675216 @dependabot
chore(deps): bump the opa group with 2 updates @dependabot
chore(deps): bump ubi9-minimal from 9.3-1612 to 9.4-949.1717074713 @dependabot
chore(deps): downgrade envoy to 1.28.4 for Windows @lukidzi
chore(deps): security update @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
feat(kumactl): restrict the default admin role binding by default when installing the control plane @jijiechen
fix(docs): fix outdated url for backend store @Icarus9913
fix(kuma-cp): downgrade go-control-plane to mitigate potential deadlock @bartsmykla
fix(kuma-cp): override system namespace when running Universal @lobkovilya
fix(license): don’t fail if we ever saw a valid license @lahabana
fix(ubi): upgrade iptables-nft version @michaelbeaumont

Includes kumahq/kuma@2.8.0 changelog

chore(build): add possibility to configure extra args for shellcheck #10331 @Automaat
chore(build): set envoy version conditionally #10538 @lukidzi
chore(deps): bump Kong/public-shared-actions from 2.2.0 to 2.2.3 #9995 #10126 #10197 @dependabot
chore(deps): bump actions/checkout from 4.1.2 to 4.1.7 #10036 #10123 #10195 #10263 #10521 @dependabot
chore(deps): bump actions/create-github-app-token from 1.9.3 to 1.10.1 #10175 #10372 @dependabot
chore(deps): bump actions/download-artifact from 4.1.4 to 4.1.7 #9993 #10122 @dependabot
chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 #10173 @dependabot
chore(deps): bump actions/upload-artifact from 4.3.1 to 4.3.3 #9994 #10035 #10127 @dependabot
chore(deps): bump cloudsmith-io/action from 0.6.6 to 0.6.9 #10324 #10427 #10523 @dependabot
chore(deps): bump debian from b37bc25 to a92ed51 #10120 #10264 #10520 @dependabot
chore(deps): bump distroless/base-nossl-debian11 from 4cba3ac to 1dcd82e #10183 @dependabot
chore(deps): bump envoy version from 1.29.3 to 1.30.2 #10453 @lukidzi
chore(deps): bump github.com/cilium/ebpf from 0.14.0 to 0.15.0 #10039 @dependabot
chore(deps): bump github.com/containernetworking/cni from 1.2.0 to 1.2.1 #10526 @dependabot
chore(deps): bump github.com/containernetworking/plugins from 1.4.1 to 1.5.0 #10282 @dependabot
chore(deps): bump github.com/emicklei/go-restful/v3 from 3.12.0 to 3.12.1 #10375 @dependabot
chore(deps): bump github.com/exaring/otelpgx from 0.5.4 to 0.6.1 #10528 @dependabot
chore(deps): bump github.com/go-logr/logr from 1.4.1 to 1.4.2 #10295 @dependabot
chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.17.0 to 4.17.1 #10038 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.46.13 to 0.46.15 #10118 #10297 @dependabot
chore(deps): bump github.com/jackc/pgx/v5 from 5.5.5 to 5.6.0 #10325 @dependabot
chore(deps): bump github.com/miekg/dns from 1.1.58 to 1.1.61 #9990 #10527 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.17.1 to 2.19.0 #10119 #10223 #10296 #10326 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.32.0 to 1.33.1 #9991 #10180 @dependabot
chore(deps): bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 #10226 @dependabot
chore(deps): bump github.com/prometheus/common from 0.52.3 to 0.54.0 #9989 #10374 @dependabot
chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 #10530 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.30.0 to 0.31.0 #10222 @dependabot
chore(deps): bump github/codeql-action from 3.25.0 to 3.25.10 #9996 #10128 #10227 #10286 #10373 #10396 #10522 @dependabot
chore(deps): bump go.opentelemetry.io/proto/otlp from 1.2.0 to 1.3.1 #10524 @dependabot
chore(deps): bump golang.org/x/net from 0.24.0 to 0.26.0 #10225 #10398 @dependabot
chore(deps): bump golang.org/x/sys from 0.19.0 to 0.20.0 #10181 @dependabot
chore(deps): bump golang.org/x/text from 0.14.0 to 0.15.0 #10176 @dependabot
chore(deps): bump golangci/golangci-lint-action from 4.0.0 to 6.0.1 #10129 #10174 #10196 @dependabot
chore(deps): bump google.golang.org/grpc from 1.63.2 to 1.64.0 #10266 @dependabot
chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.2 #10177 #10525 @dependabot
chore(deps): bump kumahq/ubuntu-netools from 9eba4ba to 8675216 #10131 #10182 #10285 @dependabot
chore(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 #10228 @dependabot
chore(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.5 #9997 #10125 @dependabot
chore(deps): bump postgres from 5c58707 to 46aa2ee #10041 #10132 #10221 #10284 #10514 @dependabot
chore(deps): bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0 #10124 @dependabot
chore(deps): bump the go-opentelemetry-io group with 9 updates #10115 #10294 @dependabot
chore(deps): bump ubuntu from jammy-20240227 to jammy-20240530 #9987 #10121 #10184 #10413 @dependabot
chore(deps): ignore go-control-plane updates by dependabot #10412 @bartsmykla
chore(deps): update CNI to v1.2.0 #10101 @Icarus9913
chore(deps): upgrade go to 1.21.11 #10401 @lukidzi
chore(deps): use latest kumahq/kuma-gui #9978 #9980 #9985 #9998 #10001 #10009 #10010 #10043 #10044 #10052 #10053 #10060 #10061 #10062 #10064 #10092 #10093 #10105 #10108 #10111 #10112 #10135 #10136 #10143 #10187 #10188 #10190 #10198 #10199 #10201 #10210 #10213 #10231 #10232 #10240 #10242 #10249 #10262 #10269 #10281 #10283 #10289 #10292 #10302 #10305 #10307 #10310 #10311 #10423 #10424 #10425 #10429 #10431 #10432 #10450 #10456 #10465 #10473 #10479 #10493 #10505 #10536 #10556 #10596 #10603 @kumahq
feat(Mesh*Service): validate name length #10544 @michaelbeaumont
feat(MeshExternalService): implement a new resource #10239 #10293 #10306 #10336 #10444 #10445 #10568 #10570 #10578 #10594 @lukidzi,@slonka
feat(MeshRetry): allow setting numRetries to 0 to disable retries #10250 @lahabana
feat(MeshService): add events when generating from Kubernetes Service #10290 @michaelbeaumont
feat(MeshService): add port names #10287 @michaelbeaumont
feat(MeshService): handle headless Services #10308 @michaelbeaumont
feat(MeshService): set kuma.io/managed-by for converted MeshServices #10481 @michaelbeaumont
feat(MeshService): support mTLS #10403 @michaelbeaumont
feat(MeshService): tag with headlessness, add pod-name/pod-index labels #10472 @michaelbeaumont
feat(MeshService): use hostnames for DNS #10387 @michaelbeaumont
feat(api-server): update policies api response structure #10428 @Icarus9913
feat(hostnamegenerator): add display name to HostnameGenerator #10476 @slonka
feat(hostnamegenerator): add zone and namespace variables #10533 @jakubdyszkiewicz
feat(hostnamegenerator): apply templates to MeshServices #10362 @michaelbeaumont
feat(hostnamegenerator): implement MeshExternalService support #10379 @lukidzi
feat(hostnamegenerator): prevent template being empty #10548 @slonka
feat(k8s): add kubernetes.io/hostname to default node labels to copy #10243 @slonka
feat(k8s): opt-in to support tls for GAPI in all namespaces #10015 @jakubdyszkiewicz
feat(kds): add a flag to avoid creating a zone on connection on kds #10298 @lahabana
feat(kds): create first, then remove synced resources #10562 @Automaat
feat(kds): sync mesh service status #10337 @jakubdyszkiewicz
feat(kuma-cni): add readOnlyRootFilesystem into securityContext of the container kuma-validation #10394 @jijiechen
feat(kuma-cp): add error type to nack metric #10013 @slonka
feat(kuma-cp): add policy matching api for meshservice #10378 @Automaat
feat(kuma-cp): always add kuma.io/zone label to resource #10457 @Automaat
feat(kuma-cp): consumer policies on app’s namespace #10361 @lobkovilya
feat(kuma-dp): add function to find default CA #10367 @lukidzi
feat(meshexternalservice): add IP allocator for meshexternalservice #10376 @lukidzi
feat(meshpassthrough): create API and validators #10314 @lukidzi
feat(meshpassthrough): implement new policy #10363 #10458 #10466 #10532 #10576 #10595 @lukidzi
feat(meshservice): cross-zone connectivity #10411 @jakubdyszkiewicz
feat(meshservice): ipam #10320 @jakubdyszkiewicz
feat(meshservice): prefer MeshService over kuma.io/service routing #10564 @jakubdyszkiewicz
feat(meshservice): rename protocol to appprotocol #10539 @jakubdyszkiewicz
feat(meshservice): sync identity cross zones #10451 @jakubdyszkiewicz
feat(meshservice): sync mesh service to other zones #10380 @jakubdyszkiewicz
feat(report): add more info in the report #10270 @lahabana
feat(store): update does not wipe out labels #10335 @jakubdyszkiewicz
fix(GatewayAPI): only enqueue Gateway reconciliations from routes if parent is a Gateway #10316 @spacewander
fix(HostnameGenerator): don’t exit component on error #10392 @michaelbeaumont
fix(Mesh*Service): rename HostnameGenerator ref name to coreName #10597 @michaelbeaumont
fix(MeshHttpRoute): don’t split header value prematurely #10191 @spacewander
fix(MeshRoute): properly map listener TLS certs to DownstreamTlsContext #10272 @michaelbeaumont
fix(ZoneIngress): fix no pointer panic for advertised address resolving #10475 @Icarus9913
fix(api-server): check for tenant just before logging #10377 @michaelbeaumont
fix(api-server): fix trace/span ID processing in logs #10100 @bartsmykla
fix(gateway): handle implicit kuma.io/service in pod annotation #10076 @jakubdyszkiewicz
fix(gateway): run validating webhook on MeshGatewayInstance #10330 @Icarus9913
fix(gateway): support inlineString in TLS certificates #10159 @michaelbeaumont
fix(gatewayapi): reconcile HTTPRoutes when relevant Services change #10192 @michaelbeaumont
fix(gatewayapi): validate presence of all required Gateway API resources #10079 @bartsmykla
fix(helm): don’t fail when webhook doesn’t exist #10098 @lahabana
fix(helm): include GatewayClass only if installing a zone CP in Kubernetes mode #10012 @michaelbeaumont
fix(jobs): jobs termination after CP restart #10085 @jakubdyszkiewicz
fix(k8s): don’t error if a service doesn’t expose any ports we can handle #9982 @michaelbeaumont
fix(k8s): take mesh from label of the namespace #10580 @jakubdyszkiewicz
fix(k8s): use EndpointSlices to determine identity for Service without selectors #10134 @michaelbeaumont
fix(k8s): virtual probes for sidecar initContainer ports also exposed by a Service #9971 @michaelbeaumont
fix(kds): change version label for kds_clint_versions metric #10323 @Automaat
fix(kds): clone resource on update meta #10460 @jakubdyszkiewicz
fix(kds): fix resource name hashing on global #10452 @Automaat
fix(kds): fix the case when webhook/db reject resource #10315 @lukidzi
fix(kds): fix updating metric of kds client version #10312 @Automaat
fix(kds): make error handling similar between GlobalToZoneSync and ZoneToGlobalSync #10056 @michaelbeaumont
fix(kds): send NACK only when resource is invalid and do not retry #10480 @lukidzi
fix(kuma-cp): allow MES / HG to only be created in SystemNamespace #10577 @lobkovilya
fix(kuma-cp): cleanup generated egress certs #10162 @michaelbeaumont
fix(kuma-cp): consistently check for expiring ZoneIngress/ZoneEgress certs #10160 @michaelbeaumont
fix(kuma-cp): consistently update ZoneIngress available services #10426 @michaelbeaumont
fix(kuma-cp): filter out old dangling zone resources in global (backport of #10245) #10268 @michaelbeaumont
fix(kuma-cp): index generated certs by proxy type #10161 @michaelbeaumont
fix(kuma-cp): mistakenly setting ‘kuma.io/display-name’ as label #10430 @lobkovilya
fix(kuma-cp): panic on mesh delete #10604 @jakubdyszkiewicz
fix(kuma-cp): validate the bandwidth strictly #10371 @spacewander
fix(kuma-dp): set systemCaPath when requesting config from kuma-cp #10443 @lukidzi
fix(kumactl): fix bad escape on regex #10420 @lahabana
fix(meshservice): tags and selector #10535 @jakubdyszkiewicz
fix(transparent-proxy): stop logging all to stderr when installing tproxy #10045 @bartsmykla
fix(validation): don’t prefix validation errors with spec. for core plugin resources #10543 @michaelbeaumont

2.7.4

Released on 2024/06/20

chore(deps): bump kumahq/kuma from 413bddfb40f2 to f19b85337 @kong-mesh
chore(deps): security update @kong-mesh
fix(kuma-cp): downgrade go-control-plane to mitigate potential deadlock (backport of #6094) @kong-mesh
fix(kuma-cp): fixed an issue that breaks license propagation from the global control plane to zone control planes

Includes kumahq/kuma@2.7.4 changelog

chore(deps): bump envoy version from 1.29.4 to 1.29.5 #10390 @lukidzi
chore(deps): ignore go-control-plane updates by dependabot (backport of #10412) #10416 @kumahq
chore(deps): upgrade go from 1.21.10 to 1.21.11 (backport of #10401) #10405 @kumahq
fix(MeshRoute): properly map listener TLS certs to DownstreamTlsContext (backport of #10272) #10340 @kumahq
fix(ZoneIngress): fix no pointer panic for advertised address resolving (backport of #10475) #10495 @kumahq
fix(kds): fix the case when webhook/db reject resource (backport of #10315) #10353 @kumahq
fix(kds): send NACK only when resource is invalid and do not retry (backport of #10480) #10516 @kumahq
fix(kuma-cp): consistently update ZoneIngress available services (backport of #10426) #10483 @kumahq

2.6.8

Released on 2024/06/20

chore(deps): bump kumahq/kuma from 68fa9292c542 to 498d86f27 @kong-mesh
chore(deps): security update @kong-mesh
fix(kuma-cp): downgrade go-control-plane to mitigate potential deadlock (backport of #6094) @kong-mesh

Includes kumahq/kuma@2.6.8 changelog

chore(deps): bump envoy version from 1.28.3 to 1.28.4 #10386 @lukidzi
chore(deps): ignore go-control-plane updates by dependabot (backport of #10412) #10418 @kumahq
chore(deps): upgrade go from 1.21.10 to 1.21.11 (backport of #10401) #10408 @kumahq
feat(k8s): do not set mesh owner reference on synced resources (backport of #9882) #10504 @kumahq
fix(ZoneIngress): fix no pointer panic for advertised address resolving (backport of #10475) #10498 @kumahq
fix(kds): send NACK only when resource is invalid and do not retry (backport of #10480) #10517 @kumahq
fix(kuma-cp): consistently update ZoneIngress available services (backport of #10426) #10486 @kumahq

2.6.7

Released on 2024/05/30

chore(deps): bump kumahq/kuma from 946233ed1fe6 to 68fa9292c @kong-mesh
fix(kuma-cp): fixed an issue that breaks license propagation from the global control plane to zone control planes

Includes kumahq/kuma@2.6.7 changelog

fix(MeshRoute): properly map listener TLS certs to DownstreamTlsContext (backport of #10272) #10344 @kumahq
fix(kds): fix the case when webhook/db reject resource (backport of #10315) #10351 @kumahq

2.7.3

Released on 2024/05/20

chore(deps): bump kumahq/kuma from 358de6f3e590 to 413bddfb4 @kong-mesh
chore(deps): security update @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
fix(license): don’t fail if we ever saw a valid license (backport of #5968) @kong-mesh

Includes kumahq/kuma@2.7.3 changelog

chore(deps): bump go to 1.21.10 (backport of #10209) #10258 @kumahq
chore(deps): use latest kumahq/kuma-gui #10092 #10199 @kumahq
fix(kuma-cp): consistently check for expiring ZoneIngress/ZoneEgress certs (backport of #10160, #10162, #10161) #10168 @kumahq
fix(kuma-cp): filter out old dangling zone resources in global (backport of #10245) #10268 @michaelbeaumont

2.6.6

Released on 2024/05/17

chore(deps): bump kumahq/kuma from 9b95497f2dcf to 946233ed1 @kong-mesh
chore(deps): security update @kong-mesh
fix(license): don’t fail if we ever saw a valid license (backport of #5968) @kong-mesh
fix(ubi): upgrade from non-existent iptables-nft version (backport of #5910) @kong-mesh

Includes kumahq/kuma@2.6.6 changelog

chore(deps): manually bump go to 1.21.10 (backport of #10209) #10255 @kumahq
chore(deps): upgrade Envoy to version 1.28.3 #10019 @lukidzi
chore(deps): use latest kumahq/kuma-gui #10065 #10091 @kumahq
fix(gatewayapi): validate presence of all required Gateway API resources (backport of #10079) #10084 @kumahq
fix(jobs): jobs termination after CP restart (backport of #10085) #10089 @kumahq
fix(kds): fix retry on NACK and add backoff (backport of #9736) #9861 @kumahq
fix(kuma-cp): consistently check for expiring ZoneIngress/ZoneEgress certs (backport of #10160, #10162, #10161) #10169 @kumahq
fix(kuma-cp): filter out old dangling zone resources in global #10245 @michaelbeaumont
fix(transparent-proxy): stop logging all to stderr when installing tproxy (backport of #10045) #10048 @kumahq

2.7.2

Released on 2024/05/02

chore(deps): bump kumahq/kuma from 5a2d836dc6e5 to 684d3ddf6 @jakubdyszkiewicz,@kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
fix(ubi): upgrade from non-existent iptables-nft version @michaelbeaumont

Includes kumahq/kuma@2.7.2 changelog

fix(jobs): jobs termination after CP restart (#10085)
fix(gatewayapi): validate presence of all required Gateway API resources (backport of #10079) (#10082)
fix(gateway): handle implicit kuma.io/service in pod annotation (#10076)
fix(transparent-proxy): stop logging all to stderr when installing tproxy (backport of #10045) (#10047)

2.7.1

Released on 2024/04/23

chore(deps): bump kumahq/kuma from 77f3a8badc84 to 5a2d836dc @kong-mesh

Includes kumahq/kuma@2.7.1 changelog

chore(deps): upgrade Envoy to version 1.29.4 #10033 @lukidzi
feat(k8s): opt-in to support tls for GAPI in all namespaces #10015 @jakubdyszkiewicz
fix(helm): include GatewayClass only if installing a zone CP in Kubernetes mode #10012 @michaelbeaumont

2.7.0

Released on 2024/04/19

chore(deps): bump Kong/public-shared-actions from 1.15.0 to 2.1.0 @dependabot
chore(deps): bump actions/cache from 3 to 4 @dependabot
chore(deps): bump actions/create-github-app-token from 1.9.1 to 1.9.2 @dependabot
chore(deps): bump github.com/Kong/shared-go/kauth from 1.4.10 to 1.4.13 @dependabot
chore(deps): bump github.com/Kong/shared-go/rest from 1.11.4 to 1.11.6 @dependabot
chore(deps): bump github.com/aws/aws-sdk-go from 1.50.7 to 1.50.12 @dependabot
chore(deps): bump github.com/cert-manager/cert-manager from 1.13.3 to 1.14.1 @dependabot
chore(deps): bump github.com/docker/docker from 25.0.1+incompatible to 25.0.3+incompatible @dependabot
chore(deps): bump kumahq/kuma from 2df58666a6a8 to 77f3a8bad @kong-mesh,@lukidzi
chore(deps): bump peter-evans/create-pull-request from 5 to 6 @dependabot
chore(deps): bump ubi9-minimal from 9.3-1552 to 9.3-1612 @dependabot
chore(deps): security update @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
feat(MeshGlobalRateLimit): add kind: MeshGateway @michaelbeaumont
feat(MeshOPA): allow kind: MeshGateway @michaelbeaumont
feat(kuma-cp): rbac support more kuma targetRef kinds @jijiechen
feat(opa): move the logic of apending persistence_directory into agentConfig from cp to dp so that we can use different tempDir based on dp settings @jijiechen
feat(opa): add a default persistence_directory if not configured in agentConfig of mesh opa policies @jijiechen
feat(rbac): add rbac for control-plane metadata access @lahabana
feat(rbac): set the same permission on zone and global @lukidzi
fix(MeshGlobalRateLimit): duplicated paths in errors, require from not to be empty @michaelbeaumont
fix(MeshOPA): remove log for composable policies @jakubdyszkiewicz
fix(rbac): allow system:authenticated on zone cp @lukidzi

Includes kumahq/kuma@2.7.0 changelog

chore(deps): bump Envoy from 1.28.0 to 1.29.3 #9134 #9222 #9600 #9853 @lukidzi
chore(deps): bump Kong/public-shared-actions from 2.0.2 to 2.1.0 #9556 #9711 @dependabot
chore(deps): bump actions/cache from 3 to 4.0.2 #9205 #9491 #9712 @dependabot
chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 #9639 @dependabot
chore(deps): bump actions/create-github-app-token from 1.8.0 to 1.9.3 #9416 #9490 #9772 #9873 @dependabot
chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 #9306 @dependabot
chore(deps): bump cirello.io/pglock from 1.14.1 to 1.14.2 #9562 @dependabot
chore(deps): bump debian from b16cef8 to b37bc25 #9139 #9304 #9642 #9900 @dependabot
chore(deps): bump distroless/base-nossl-debian11 from 61c9d7a to 4cba3ac #9202 #9302 #9413 #9567 #9643 #9875 @dependabot
chore(deps): bump distroless/static-debian11 from 1e5b9bb to 459f8ab #9203 #9303 #9414 #9566 #9644 #9874 @dependabot
chore(deps): bump github.com/cilium/ebpf from 0.12.3 to 0.14.0 #9313 #9401 #9771 @dependabot
chore(deps): bump github.com/containernetworking/plugins from 1.4.0 to 1.4.1 #9649 @dependabot
chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible #9678 @dependabot
chore(deps): bump github.com/emicklei/go-restful/v3 from 3.11.2 to 3.12.0 #9400 #9650 @dependabot
chore(deps): bump github.com/exaring/otelpgx from 0.5.3 to 0.5.4 #9312 @dependabot
chore(deps): bump github.com/golang/protobuf from 1.5.3 to 1.5.4 #9561 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.46.11 to 0.46.13 #9716 @dependabot
chore(deps): bump github.com/jackc/pgx/v5 from 5.5.2 to 5.5.5 #9143 #9493 #9560 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.15.0 to 2.17.1 #9564 #9646 #9715 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.31.1 to 1.32.0 #9651 @dependabot
chore(deps): bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 #9467 @dependabot
chore(deps): bump github.com/prometheus/client_model from 0.5.0 to 0.6.1 #9314 #9871 @dependabot
chore(deps): bump github.com/prometheus/common from 0.46.0 to 0.52.2 #9309 #9465 #9563 #9714 #9870 @dependabot
chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0 #9868 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.27.0 to 0.30.0 #9310 #9558 #9867 @dependabot
chore(deps): bump github.com/tonglil/opentelemetry-go-datadog-propagator from 0.1.1 to 0.1.2 #9466 @dependabot
chore(deps): bump github/codeql-action from 3.23.2 to 3.24.10 #9142 #9307 #9415 #9489 #9641 #9710 #9872 @dependabot
chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 #9399 @dependabot
chore(deps): bump golang.org/x/net from 0.20.0 to 0.24.0 #9210 #9869 @dependabot
chore(deps): bump golang.org/x/sys from 0.17.0 to 0.19.0 #9492 #9865 @dependabot
chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 #9204 @dependabot
chore(deps): bump gonum.org/v1/gonum from 0.14.0 to 0.15.0 #9648 @dependabot
chore(deps): bump google.golang.org/grpc from 1.61.0 to 1.63.2 #9315 #9402 #9559 #9866 #9902 @dependabot
chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.3 #9277 #9647 @dependabot
chore(deps): bump iptables version #9200 @slonka
chore(deps): bump kumahq/ubuntu-netools from 3f0fefb to 9eba4ba #9898 @dependabot
chore(deps): bump peter-evans/create-pull-request from 5.0.2 to 6.0.2 #9141 #9488 #9640 @dependabot
chore(deps): bump postgres from 49c276f to 5b06192 #9116 #9130 #9162 #9241 #9256 #9278 #9292 #9358 #9390 #9444 #9577 #9601 #9614 #9899 @dependabot
chore(deps): bump prometheus/common to v0.48.0 #9462 @slonka
chore(deps): bump sigs.k8s.io/controller-runtime from 0.17.0 to 0.17.3 #9207 #9311 #9901 @dependabot
chore(deps): bump sigs.k8s.io/gateway-api #9454 @michaelbeaumont
chore(deps): bump slsa-framework/slsa-github-generator from 1.9.0 to 1.10.0 #9713 @dependabot
chore(deps): bump the go-opentelemetry-io group with 1 update #9464 @dependabot
chore(deps): bump the go-opentelemetry-io group with 10 updates #9864 @dependabot
chore(deps): bump the go-opentelemetry-io group with 8 updates #9206 #9398 @dependabot
chore(deps): bump the k8s-libs group with 5 updates #9308 #9645 @dependabot
chore(deps): bump ubuntu from jammy-20240111 to jammy-20240227 #9140 #9305 #9565 @dependabot
chore(deps): downgrade go-control-plane to v0.11.2-0.20231010133108-1dfbe83bcebc #9163 @lobkovilya
chore(deps): downgrade to golang v1.21.7 #9443 @michaelbeaumont
chore(deps): security update #9102 #9369 #9516 #9819 @kumahq
chore(deps): update golang to v1.22, golangci-lint to v1.56.1 #9316 @michaelbeaumont
chore(deps): upload sbom to gh release/tag assets #9966 @Automaat
chore(deps): use latest kumahq/kuma-gui #9071 #9135 #9156 #9159 #9181 #9183 #9187 #9223 #9224 #9227 #9244 #9247 #9253 #9266 #9267 #9275 #9279 #9290 #9297 #9299 #9318 #9319 #9320 #9337 #9344 #9347 #9355 #9377 #9407 #9408 #9410 #9418 #9420 #9422 #9425 #9426 #9439 #9442 #9451 #9460 #9471 #9486 #9499 #9549 #9572 #9584 #9590 #9605 #9609 #9611 #9613 #9615 #9622 #9625 #9627 #9638 #9654 #9668 #9691 #9700 #9703 #9717 #9719 #9723 #9733 #9735 #9740 #9744 #9751 #9773 #9775 #9777 #9778 #9781 #9783 #9822 #9823 #9824 #9827 #9836 #9837 #9838 #9839 #9852 #9854 #9855 #9878 #9880 #9883 #9906 #9921 @kumahq
feat(GatewayAPI): promote our Gateway API implementation to GA #9939 @bartsmykla
feat(GatewayAPI): use MeshHTTPRoutes instead of MeshGatewayRoutes internally #9732 @bartsmykla
feat(MeshGatewayInstance): deprecate kuma.io/service and generate serviceName #9504 @lukidzi
feat(MeshHTTPRoute): set name of route action equal to hash of matches #9391 @lukidzi
feat(MeshMetric) profiles #9579 #9624 @slonka
feat(MeshMetric): add possibility to configure multiple opentelemetry backends #9445 @Automaat
feat(MeshMetric): add possibility to configure refresh interval for open telemetry backend in meshmetric #9452 @Automaat
feat(MeshMetric): disable rollup of clusters #9768 @slonka
feat(MeshMetric): filter out internal clusters #9754 @slonka
feat(MeshMetric): manually remove regex #9793 @slonka
feat(MeshMetric): properly handle appendProfiles #9915 @slonka
feat(MeshMetric): usedonly filters #9406 @slonka
feat(MeshRateLimit): support targetRef: MeshHTTPRoute for Gateway #9396 @lukidzi
feat(MeshRetry): allow configuration for MeshHTTPRoute #9365 @lukidzi
feat(MeshService): add first iteration of resource #9510 @michaelbeaumont
feat(MeshService): backend ref outbound to mesh service on Dataplane #9653 @jakubdyszkiewicz
feat(MeshService): k8s controller to convert service #9702 @jakubdyszkiewicz
feat(MeshService): xds generation #9583 @michaelbeaumont
feat(MeshTimeout): added possibility to target MeshHTTPRoute for MeshGateway #9446 @lukidzi
feat(MeshTrafficPermission): apply default deny #9110 @jakubdyszkiewicz
feat(ServiceInsight): add zones to service insights #9677 @jakubdyszkiewicz
feat(ZoneIngress): generate an empty direct response listener for empty zone ingress gateway #9745 @jijiechen
feat(api-server): add format and include_eds to admin api #9814 @lahabana
feat(api-server): add type filter to service-insights #9212 @lahabana
feat(api-server): return config_dump response in the same format as envoy admin #9519 @lukidzi
feat(auth): add possibility to restrict /config access #9826 @lahabana
feat(components): exponential backoff for resilient components #9767 @jakubdyszkiewicz
feat(k8s): add experimental.sidecarContainers to Helm chart #9626 @michaelbeaumont
feat(k8s): add drain when using native sidecars #9904 @michaelbeaumont
feat(k8s): add possibility to not add owner reference #9794 @lahabana
feat(k8s): add sidecar startup probe with sidecar feature #9494 @michaelbeaumont
feat(k8s): copy node topology labels #9690 @lukidzi
feat(k8s): do not set mesh owner reference on synced resources #9882 @jakubdyszkiewicz
feat(k8s): enable init container mesh access by default when using native sidecars #9746 @michaelbeaumont
feat(k8s): sidecar containers #9321 @michaelbeaumont
feat(kds): add kds client version to outgoing context #9501 @slonka
feat(kds): add span for admin requests to zone CPs #9411 @michaelbeaumont
feat(kds): stats of kds client versions #9749 @jakubdyszkiewicz
feat(kuma-cni): add a init container to validate that iptables rules are applied #9699 @jijiechen
feat(kuma-cp): add a helper function to get all kuma targetRef kinds to be used in child repos #9687 @jijiechen
feat(kuma-cp): add ability to selectively enable core resources #9555 @michaelbeaumont
feat(kuma-cp): add plugin policy toggles #8828 @slonka
feat(kuma-cp): remove grpc support from mads #9527 @Automaat
feat(kuma-cp): resilient component backoff config #9892 @Automaat
feat(kuma-dp): migrate to prometheus otel sdk when using meshmetric #9424 @Automaat
feat(kuma-dp): use Envoy --drain-strategy immediate #9741 @michaelbeaumont
feat(kumactl): support for new Inspect API endpoint _config #9887 @lobkovilya
feat(pgx): configure idle timeout #9675 @lukidzi
feat(policies): deprecated from[].targetRef.kind: MeshService #9881 @lobkovilya
feat(policies): shadow mode for policies #9850 @lobkovilya
feat(resources): add status #9676 @jakubdyszkiewicz
feat(resources): generate core resource #9405 @jakubdyszkiewicz
feat(tracing): add tracing to intercp gRPC server and client #9383 @michaelbeaumont
feat(transparent-proxy): add automatic iptables type detection #9750 @bartsmykla
feat(transparent-proxy): deprecate argument ‘redirect-inbound-port-v6’ and introduce ‘ip-family-mode’ #8939 @jijiechen
feat(transparent-proxy): drop all capabilities for sidecar containers #9656 @jijiechen
feat(transparent-proxy): init container scc hardening #9688 @jijiechen
fix(GatewayAPI): add missing Name param to query params matcher on MeshHTTPRoute #9662 @bartsmykla
fix(GatewayAPI): don’t add HTTPRoute status if Kuma isn’t the controller #9228 @michaelbeaumont
fix(GatewayAPI): make MeshHTTPRoute conversion port redirect gapi conformant #9669 @bartsmykla
fix(GatewayAPI): set mesh properly during owned object reconciliation #9664 @bartsmykla
fix(MeshGateway): don’t rewrite / with trailing slash #9243 @michaelbeaumont
fix(MeshGateway): fix MeshTCPRoute on MeshGateway #9167 @lahabana
fix(MeshHTTPRoute): allow “kuma.io/unresolved-backend” service name for GAMMA compliance #9670 @bartsmykla
fix(MeshHTTPRoute): allow no backendRefs when RequestRedirect filter present #9671 @bartsmykla
fix(MeshHTTPRoute): fix response headers filter in gateway route generation #9652 @bartsmykla
fix(MeshHTTPRoute): order rules by match priority #9472 @michaelbeaumont
fix(MeshHTTPRoute): trim “/” path match suffix when converting HTTPRoute #9686 @bartsmykla
fix(MeshHealthCheck): isolate MeshGateway config based on hostname #9612 @michaelbeaumont
fix(MeshLoadBalancingStrategy): configure builtin gateway #9877 @lukidzi
fix(MeshMetric): otel endpoint validation #9634 @Automaat
fix(MeshTCPRoute): allow MeshGateway listener tags #9240 @michaelbeaumont
fix(api-server): return 404 when a mesh doesn’t exist #9175 @lahabana
fix(defaults): change meshsubset to mesh for gateway’s meshtimeout #9192 @lukidzi
fix(helm): missing postgres tls mode when it is set to verifyNone #9665 @AyushSenapati
fix(helm): use kuma name in ingress and egress pdb selectors #9211 @slavogiez
fix(k8s): create builtin CA once #9124 @jakubdyszkiewicz
fix(kds): fix memory leak on kds error #9742 @Automaat
fix(kds): fix retry on NACK and add backoff #9736 @slonka
fix(kds): run filters before ZoneWatcher #9119 @lukidzi
fix(kuma-cni): fix the subject namespace reference in Helm Chart #9933 @jijiechen
fix(kuma-cp): change the “direction” of the diff in inspect shadow responses #9914 @lobkovilya
fix(kuma-cp): clone outbound tags #9592 @lukidzi
fix(kuma-cp): copy annotations when adding/update k8s object #9254 @lukidzi
fix(kuma-cp): fix long polling issues in mads #9586 @Automaat
fix(kuma-cp): ignore shadow policies on ZoneEgress #9930 @lobkovilya
fix(kuma-cp): kds sync on upgrade doubles the number of policies #9259 @lobkovilya
fix(kuma-cp): prevent violating kubernetes label limit #9191 @jakubdyszkiewicz
fix(kuma-cp): return wrapped forward KDS client errors #9160 @lukidzi
fix(kuma-cp): use display-name label to check if resource is referenced #9962 @lobkovilya
fix(kumactl): correctly print new style resources #9779 @lahabana
fix(kumactl): npe when creating new core resources #9593 @michaelbeaumont
fix(pgx): use default MaxConnLifetimeJitter value for jitter #9674 @lukidzi
fix(policies): don’t set empty kuma.io service when using MeshHTTPRoute #9394 @lukidzi
fix(policies): fix metrics labels #9913 @Automaat
fix(transparent-proxy): make iptables mode detection more defensive #9776 @bartsmykla
fix(xds): duplicated listeners #9542 @jakubdyszkiewicz
perf(k8s): ignore serviceless pods from vips list #9907 @jakubdyszkiewicz
perf(vips): group DB calls for CreateOrUpdateVIPConfigs #9062 @nicoche

2.6.5

Released on 2024/04/09

chore(deps): bump kumahq/kuma from b203130df372 to 9b95497f2 @kong-mesh

Includes kumahq/kuma@2.6.5 changelog

chore(deps): security update #9820 @kumahq
chore(deps): update Envoy to v1.28.2 #9843 #9848 @michaelbeaumont

2.5.7

Released on 2024/04/09

chore(deps): bump kumahq/kuma from 35f57c23ecdd to 2a7e5013e @kong-mesh

Includes kumahq/kuma@2.5.7 changelog

chore(deps): security update #9818 @kumahq
chore(deps): update Envoy to v1.28.2 #9845 #9847 @michaelbeaumont

2.4.8

Released on 2024/04/09

chore(deps): bump kumahq/kuma from 4d60a91e01d8 to 304050ffd @kong-mesh

Includes kumahq/kuma@2.4.8 changelog

Revert “feat(images/kuma-init): use iptables-wrapper to use correct iptables version (backport of #9701) (#9726)” #9757 @bartsmykla
chore(deps): security update #9684 #9696 #9815 @kumahq
chore(deps): update Envoy to v1.27.4 #9844 @michaelbeaumont

2.3.7

Released on 2024/04/09

chore(deps): bump kumahq/kuma from 04377e548c39 to b0ad06967 @kong-mesh

Includes kumahq/kuma@2.3.7 changelog

Revert “feat(images/kuma-init): use iptables-wrapper to use correct iptables version (backport of #9701) (#9725)” #9758 @bartsmykla
chore(deps): security update #9683 #9694 #9817 @kumahq
chore(deps): update Envoy to v1.26.8 #9842 @michaelbeaumont

2.2.9

Released on 2024/04/09

chore(deps): bump kumahq/kuma from 4a4e4a6c37b2 to 811da1748 @kong-mesh

Includes kumahq/kuma@2.2.9 changelog

Revert “feat(images/kuma-init): use iptables-wrapper to use correct iptables version (backport of #9701) (#9727)” #9759 @bartsmykla
chore(deps): security update #9680 #9695 #9816 @kumahq
chore(deps): update Envoy to v1.26.8 #9841 @michaelbeaumont

2.6.4

Released on 2024/04/02

chore(deps): bump kumahq/kuma from ba48fe1f1a50 to b203130df @kong-mesh

Includes kumahq/kuma@2.6.4 changelog

fix(transparent-proxy): make iptables mode detection more defensive (backport of #9776) #9785 @kumahq

2.5.6

Released on 2024/04/02

chore(deps): bump kumahq/kuma from 35e9401bfab3 to 35f57c23e @kong-mesh

Includes kumahq/kuma@2.5.6 changelog

fix(transparent-proxy): make iptables mode detection more defensive (backport of #9776) #9788 @kumahq

2.6.3

Released on 2024/03/29

chore(deps): bump kumahq/kuma from 4cef8d860e7a to ba48fe1f1 @kong-mesh

Includes kumahq/kuma@2.6.3 changelog

chore(deps): security update #9621 #9681 #9697 @kumahq
feat(transparent-proxy): add automatic iptables type detection (backport of #9750) #9765 @kumahq
fix(MeshHTTPRoute): fix response headers filter in gateway route generation (backport of #9652) #9660 @kumahq

2.5.5

Released on 2024/03/29

chore(deps): bump kumahq/kuma from ea82d4e6d5ad to 35e9401bf @kong-mesh

Includes kumahq/kuma@2.5.5 changelog

chore(deps): security update #9682 #9698 @kumahq
feat(transparent-proxy): add automatic iptables type detection (backport of #9750) #9764 @kumahq

2.6.2

Released on 2024/03/19

chore(deps): bump kumahq/kuma from 7b1269d6f957 to 4cef8d860 @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh

Includes kumahq/kuma@2.6.2 changelog

chore(deps): security update #9368 #9514 #9621 @kumahq
fix(kuma-cp): clone outbound tags (backport of #9592) #9599 @kumahq
fix(xds): duplicated listeners (backport of #9542) #9552 @kumahq

2.5.4

Released on 2024/03/19

chore(deps): bump kumahq/kuma from 23764bbca70d to ea82d4e6d @kong-mesh
chore(deps): security update @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh

Includes kumahq/kuma@2.5.4 changelog

chore(deps): security update #9366 #9512 #9619 @kumahq

2.4.7

Released on 2024/03/19

chore(deps): bump kumahq/kuma from e5ffd4dc7dc3 to 4d60a91e0 @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh

Includes kumahq/kuma@2.4.7 changelog

chore(deps): security update #9513 #9620 @kumahq
chore(deps): use latest kumahq/kuma-gui #9409 @kumahq

2.3.6

Released on 2024/03/19

chore(deps): bump kumahq/kuma from 59b52bb35d2a to 04377e548 @kong-mesh

Includes kumahq/kuma@2.3.6 changelog

chore(deps): security update #9515 #9618 @kumahq

2.2.8

Released on 2024/03/19

chore(deps): bump kumahq/kuma from fc2c17ee51d4 to 4a4e4a6c3 @kong-mesh

Includes kumahq/kuma@2.2.8 changelog

chore(deps): manual security update release-2.2 #9523 @lobkovilya
chore(deps): security update #9537 #9617 @kumahq

2.5.3

Released on 2024/02/20

chore(deps): bump kumahq/kuma from bd64b43ef337 to 23764bbca @kong-mesh

Includes kumahq/kuma@2.5.3 changelog

chore(deps): security update #9287 @kumahq
chore(deps): update iptables version (backport of #9200) #9215 @kumahq
chore(deps): upgrade envoy to v1.28.1 #9219 @lukidzi
fix(gatewayapi): don’t add HTTPRoute status if Kuma isn’t the controller (backport of #9228) #9235 @kumahq

2.4.6

Released on 2024/02/20

chore(deps): bump kumahq/kuma from 41284773c8df to e5ffd4dc7 @kong-mesh

Includes kumahq/kuma@2.4.6 changelog

chore(deps): update iptables version (backport of #9200) #9214 @kumahq
chore(deps): upgrade envoy to v1.27.3 #9220 @lukidzi

2.3.5

Released on 2024/02/20

chore(deps): bump kumahq/kuma from baa08aefa319 to 59b52bb35 @kong-mesh

Includes kumahq/kuma@2.3.5 changelog

chore(deps): update iptables version (backport of #9200) #9213 @kumahq
chore(deps): upgrade envoy to v1.26.7 #9221 @lukidzi

2.2.7

Released on 2024/02/20

chore(deps): bump kumahq/kuma from e4d77e6a0553 to fc2c17ee5 @kong-mesh

Includes kumahq/kuma@2.2.7 changelog

chore(deps): update iptables version (backport of #9200) #9217 @kumahq
chore(deps): upgrade envoy to v1.26.7 #9294 @lukidzi

2.6.1

Released on 2024/02/19

chore(deps): bump kumahq/kuma from d176c947ae41 to 7b1269d6f @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
feat(MeshOPA): allow kind: MeshGateway (backport of #5404) @kong-mesh
feat(rbac): set the same permission on zone and global (backport of #5432) @kong-mesh
fix(rbac): allow system:authenticated on zone cp (backport of #5391) @kong-mesh

Includes kumahq/kuma@2.6.1 changelog

chore(deps): downgrade go-control-plane to v0.11.2-0.20231010133108-1dfbe83bcebc (backport of #9163) #9285 @kumahq
chore(deps): security update #9288 @kumahq
chore(deps): update iptables version (backport of #9200) #9216 @kumahq
chore(deps): upgrade envoy to v1.28.1 #9218 @lukidzi
chore(deps): use latest kumahq/kuma-gui #9174 #9194 @kumahq
fix(MeshGateway): fix MeshTCPRoute on MeshGateway (backport of #9167) #9180 @kumahq
fix(MeshTCPRoute): allow MeshGateway listener tags #9239 @michaelbeaumont
fix(defaults): change meshsubset to mesh for gateway’s meshtimeout (backport of #9192) #9199 @kumahq
fix(gatewayapi): don’t add HTTPRoute status if Kuma isn’t the controller (backport of #9228) #9236 @kumahq
fix(kubernetes): create builtin CA once (backport of #9124) #9129 @kumahq
fix(kuma-cp): copy annotations when adding/update k8s object (backport of #9254) #9263 @kumahq
fix(kuma-cp): kds sync on upgrade doubles the number of policies (backport of #9259) #9273 @kumahq
fix(kuma-cp): prevent violating kubernetes label limit (backport of #9191) #9233 @kumahq

2.5.2

Released on 2024/02/06

chore(deps): bump kumahq/kuma from d2ced55cd241 to bd64b43ef @kong-mesh

Includes kumahq/kuma@2.5.2 changelog

chore(deps): security update #8678 #8694 #9103 @kumahq
chore(deps): update go from 1.21.5 to 1.21.6 (backport of #8944) #8962 @kumahq
chore(deps): update go to 1.21.5 (backport of #8616) #8627 @kumahq
fix(kds): race condition on fill metadata (backport of #8872) #8999 @kumahq
fix(kuma-cp): assign extensions in ZoneInsightSink constructor (backport of #8940) #8956 @kumahq
fix(vips): skip ignored listeners (backport of #8937) #8982 @kumahq

2.4.5

Released on 2024/02/06

chore(deps): bump kumahq/kuma from b3131e7b6555 to 41284773c @kong-mesh
chore(deps): bump shadow-utils (backport of #4768) @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.4.5 changelog

chore(deps): bump the go-opentelemetry-io group with 3 updates (backport of #8347) #8352 @kumahq
chore(deps): security update #8672 #8699 #9100 @kumahq
chore(deps): update go from 1.21.5 to 1.21.6 (backport of #8944) #8961 @kumahq
chore(deps): update go to 1.21.4 (backport of #8341) #8345 @kumahq
chore(deps): update go to 1.21.5 (backport of #8616) #8626 @kumahq
fix(ZoneIngress): subset routing when tag is present on all subsets (backport of #8443) #8473 @kumahq
fix(k8s): don’t temporarily remove all AvailableServices on ZoneIngress Pod reconciliations (backport of #8301) #8307 @kumahq
fix(kds): race condition on fill metadata (backport of #8872) #9000 @kumahq

2.3.4

Released on 2024/02/06

chore(deps): bump kumahq/kuma from 815b26399692 to baa08aefa @kong-mesh
chore(deps): bump shadow-utils (backport of #4768) @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.3.4 changelog

chore(deps): security update #8204 #8674 #8697 #9099 @kumahq
chore(deps): update go from 1.21.5 to 1.21.6 (backport of #8944) #8958 @kumahq
chore(deps): update go to 1.21.4 (backport of #8341) #8343 @kumahq
chore(deps): update go to 1.21.5 (backport of #8616) #8624 @kumahq
chore(deps): upgrade envoy to 1.26.6 #8162 @lukidzi
fix(MeshTrafficPermission): support permissive mtls (backport of #8171) #8175 @kumahq
fix(k8s): don’t temporarily remove all AvailableServices on ZoneIngress Pod reconciliations (backport of #8301) #8306 @kumahq
fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services (backport of #8168) #8196 @kumahq
fix(kds): race condition on fill metadata (backport of #8872) #8997 @kumahq

2.2.6

Released on 2024/02/06

chore(deps): bump kumahq/kuma from 467b9011abcf to e4d77e6a0 @kong-mesh
chore(deps): bump shadow-utils (backport of #4768) @kong-mesh
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.2.6 changelog

chore(deps): security update #8202 #8673 #8698 #9105 @kumahq
chore(deps): update go from 1.21.5 to 1.21.6 (backport of #8944) #8960 @kumahq
chore(deps): update go to 1.21.4 (backport of #8341) #8346 @kumahq
chore(deps): update go to 1.21.5 (backport of #8616) #8623 @kumahq
chore(deps): upgrade envoy to 1.25.11 #8163 @lukidzi
fix(MeshTrafficPermission): support permissive mtls (backport of #8171) #8178 @kumahq
fix(k8s): don’t temporarily remove all AvailableServices on ZoneIngress Pod reconciliations (backport of #8301) #8305 @kumahq
fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services (backport of #8168) #8195 @kumahq

2.6.0

Released on 2024/02/01

chore(deps): bump Kong/public-shared-actions from 1.13.0 to 1.14.0 @dependabot
chore(deps): bump actions/setup-go from 4 to 5 @dependabot
chore(deps): bump actions/upload-artifact from 4.0.0 to 4.1.0 @dependabot
chore(deps): bump actions/{upload,download}-artifact from 3 to 4 @dependabot
chore(deps): bump github.com/Kong/kauth-api from 1.118.0 to 1.126.0 @dependabot
chore(deps): bump github.com/Kong/shared-go/kauth from 1.3.0 to 1.4.3 @dependabot
chore(deps): bump github.com/Kong/shared-go/rest from 1.7.0 to 1.11.2 @dependabot
chore(deps): bump github.com/aws/aws-sdk-go from 1.47.11 to 1.50.2 @dependabot
chore(deps): bump github.com/cert-manager/cert-manager from 1.13.2 to 1.13.3 @dependabot
chore(deps): bump github.com/spf13/afero from 1.10.0 to 1.11.0 @dependabot
chore(deps): bump golang.org/x/sync from 0.5.0 to 0.6.0 @dependabot
chore(deps): bump kumahq/kuma from cbf23a65c840 to d176c947a @jakubdyszkiewicz,@kong-mesh,@michaelbeaumont
chore(deps): bump the go-opentelemetry-io group with 1 update @dependabot
chore(deps): bump the opa group with 2 updates @dependabot
chore(deps): bump ubi9-minimal from 9.3-1361.1699548032 to 9.3-1475 @dependabot
chore(deps): security update @kong-mesh
chore(deps): upgrade Kuma manually @lahabana
chore(deps): upgrade shared go components @jakubdyszkiewicz
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
feat(kds): return error from HealthCheck if tenant is missing @michaelbeaumont
feat(kds): use Unauthenticated/PermissionDenied gRPC status codes instead of InvalidArgument @michaelbeaumont
feat(mtls): allow switching CAs when there is only one service and no existing certificate issues in the mesh @jijiechen
fix(kuma-cp): actually call health check endpoint after auth @michaelbeaumont
fix(kuma-cp): proxypatch should be the last policy @lukidzi
fix(kumactl): customize demo namespace @jakubdyszkiewicz
fix(vault): remove error when renewing token on removed mesh @lahabana

Includes kumahq/kuma@2.6.0 changelog

chore(deps): bump actions/cache from 3.3.2 to 4.0.0 #8865 #8985 @dependabot
chore(deps): bump actions/checkout from 3.1.0 to 4.1.1 #8862 @dependabot
chore(deps): bump actions/download-artifact and actions/upload-artifact from 3 to 4 #8701 @michaelbeaumont
chore(deps): bump actions/github-script from 6 to 7 #8422 #8530 @dependabot
chore(deps): bump actions/setup-go from 4 to 5 #8586 @dependabot
chore(deps): bump actions/upload-artifact from 3.1.0 to 4.2.0 #8863 #8986 @dependabot
chore(deps): bump debian from fab22df to b16cef8 #8465 #8685 #8853 @dependabot
chore(deps): bump distroless/base-nossl-debian11 from 1ae8df5 to 61c9d7a #8659 @dependabot
chore(deps): bump distroless/static-debian11 from cdb2034 to 1e5b9bb #8657 @dependabot
chore(deps): bump github.com/bakito/go-log-logr-adapter from v0.0.2 to latest #8646 @michaelbeaumont
chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 #8693 @dependabot
chore(deps): bump github.com/containernetworking/plugins from 1.3.0 to 1.4.0 #8588 @dependabot
chore(deps): bump github.com/emicklei/go-restful/v3 from 3.11.0 to 3.11.2 #8791 @dependabot
chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.1 to 0.12.0 #8738 @dependabot
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.2 to 1.0.4 #8857 #8971 @dependabot
chore(deps): bump github.com/evanphx/json-patch/v5 from 5.7.0 to 5.8.1 #8883 @dependabot
chore(deps): bump github.com/exaring/otelpgx from 0.5.2 to 0.5.3 #8975 @dependabot
chore(deps): bump github.com/go-logr/logr from 1.3.0 to 1.4.1 #8726 @dependabot
chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.16.2 to 4.17.0 #8724 @dependabot
chore(deps): bump github.com/google/uuid from 1.4.0 to 1.6.0 #8644 #9018 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.46.7 to 0.46.11 #8589 #8790 #8968 @dependabot
chore(deps): bump github.com/jackc/pgx/v5 from 5.5.0 to 5.5.2 #8587 #8860 @dependabot
chore(deps): bump github.com/miekg/dns from 1.1.56 to 1.1.58 #8421 #8970 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.13.1 to 2.15.0 #8520 #8859 #8973 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.30.0 to 1.31.1 #8976 @dependabot
chore(deps): bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 #8728 @dependabot
chore(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 #8858 @dependabot
chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.6 to 2.1.7 #8974 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.26.0 to 0.27.0 #8725 @dependabot
chore(deps): bump github/codeql-action from 2 to 3.23.1 #8662 #8864 #8984 @dependabot
chore(deps): bump golang from 1.21.4 to 1.21.6 #8616 #8944 @jakubdyszkiewicz,@michaelbeaumont
chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 #8665 @dependabot
chore(deps): bump golang.org/x/net from 0.18.0 to 0.20.0 #8519 #8789 @dependabot
chore(deps): bump golang.org/x/sys from 0.14.1-0.20231108175955-e4099bfacb8c to 0.16.0 #8521 #8774 @dependabot
chore(deps): bump google.golang.org/grpc from 1.59.0 to 1.61.0 #8645 #8686 #9017 @dependabot
chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 #8727 @dependabot
chore(deps): bump helm.sh/helm/v3 from 3.13.2 to 3.14.0 #8643 #8969 @dependabot
chore(deps): bump ossf/scorecard-action from 2.1.2 to 2.3.1 #8861 @dependabot
chore(deps): bump postgres from e213539 to 49c276f #8785 #8842 #8866 @dependabot
chore(deps): bump sigs.k8s.io/controller-runtime from 0.16.3 to 0.17.0 #8972 @dependabot
chore(deps): bump sigs.k8s.io/controller-tools from 0.13.0 to 0.14.0 #8856 @dependabot
chore(deps): bump the go-opentelemetry-io group with 3 updates #8420 @dependabot
chore(deps): bump the go-opentelemetry-io group with 5 updates #8967 @dependabot
chore(deps): bump the k8s-libs group from 0.28.3 to 0.28.4 #8419 @dependabot
chore(deps): bump the k8s-libs group with 1 update #8854 @dependabot
chore(deps): bump the k8s-libs group with 3 updates #8642 @dependabot
chore(deps): bump the k8s-libs group with 4 updates #8966 @dependabot
chore(deps): bump ubuntu from 2b7412e to 6042500 #8518 #8658 @dependabot
chore(deps): fix update insecure dependencies by setting bigger swap #8677 @slonka
chore(deps): more explicit image tag in envoy.Dockerfile #8482 @michaelbeaumont
chore(deps): security update #8696 #9104 @kumahq
chore(deps): tag ubuntu image more explicitly #8988 @michaelbeaumont
chore(deps): use latest kumahq/kuma-gui #8400 #8401 #8405 #8418 #8425 #8434 #8440 #8441 #8446 #8452 #8453 #8454 #8470 #8480 #8481 #8488 #8496 #8501 #8504 #8507 #8531 #8534 #8538 #8546 #8550 #8554 #8561 #8564 #8577 #8579 #8583 #8585 #8590 #8592 #8594 #8600 #8601 #8619 #8620 #8637 #8638 #8684 #8709 #8712 #8714 #8735 #8751 #8758 #8779 #8784 #8794 #8797 #8802 #8803 #8810 #8835 #8841 #8848 #8850 #8869 #8870 #8871 #8886 #8895 #8899 #8903 #8910 #8914 #8917 #8941 #8948 #8987 #9003 #9004 #9008 #9040 #9052 #9055 @kumahq
feat(ExternalService): make ExternalServices independent of TrafficPermission #8745 @lukidzi
feat(ExternalService): validate same value for service and address #8641 @jakubdyszkiewicz
feat(MeshAccessLog): select gateway listeners #8560 @michaelbeaumont
feat(MeshCircuitBreaker): select MeshGateway listeners #8562 @michaelbeaumont
feat(MeshFaultInjection): select MeshGateway listeners #8574 @michaelbeaumont
feat(MeshFaultInjection): support ExternalServices with ZoneEgress #8742 @lukidzi
feat(MeshHTTPRoute): add basic gRPC support #8752 @lukidzi
feat(MeshHTTPRoute): add hostToBackendHostname rewrite with MeshGateway #8772 @michaelbeaumont
feat(MeshHTTPRoute): basic MeshGateway support #8402 @michaelbeaumont
feat(MeshHTTPRoute): support hostnames with MeshGateway #8663 @michaelbeaumont
feat(MeshHealthCheck): select MeshGateway listeners #8570 @michaelbeaumont
feat(MeshLoadBalancingStrategy): add option to configure ActiveRequestBias #8553 @lukidzi
feat(MeshLoadBalancingStrategy): select MeshGateway listeners #8571 @michaelbeaumont
feat(MeshLoadBalancingStrategy): support kind MeshGateway #8889 @michaelbeaumont
feat(MeshMetric): add create conflicts to the metric #8894 @jakubdyszkiewicz
feat(MeshMetric): implement OpenTelemetry API for MeshMetric #8874 @Automaat
feat(MeshRateLimit): select MeshGateway listeners #8733 @michaelbeaumont
feat(MeshRateLimit): support ExternalServices with ZoneEgress #8743 @lukidzi
feat(MeshRetry): select MeshGateway listeners #8734 @michaelbeaumont
feat(MeshTCPRoute): add kafka protocol support #8781 @lukidzi
feat(MeshTCPRoute): support MeshGateway #8817 @michaelbeaumont
feat(MeshTimeout): add RequestHeadersTimeout option and configure MeshGateway #8896 @lukidzi
feat(MeshTimeout): select MeshGateway listeners #8573 @michaelbeaumont
feat(MeshTrace): select MeshGateway listeners #8595 @michaelbeaumont
feat(MeshTrace): support kind MeshGateway #8888 @michaelbeaumont
feat(api-server): add /_resources endpoint #8529 @lahabana
feat(api-server): add _rules api to MeshGateways #8540 @lahabana
feat(api-server): add dataplanes/_rules new inspect api #8442 @lahabana
feat(api-server): skip auth on specific endpoints #8458 @jakubdyszkiewicz
feat(bootstrap): support customizing corefile template from kuma-cp #8634 @jijiechen
feat(dataplane): ignored listeners with ignored labels in selector #8463 @jakubdyszkiewicz
feat(grafana): change fixed interval to rate interval variable #8713 @jakubdyszkiewicz
feat(gui): add disabled in the index.html and remove disabled page #8813 @lahabana
feat(injector): add ephemeral-storage resource request/limit for sidecars #8882 @jijiechen
feat(intercp): drop leader on cp shutdown #9046 @jakubdyszkiewicz
feat(k8s): show ZoneEgress zone as column #8913 @michaelbeaumont
feat(k8s): show ZoneIngress zone as column #8906 @michaelbeaumont
feat(kds): add zoneCP info in zone-insights #8720 @lahabana
feat(kds): log additional gRPC status codes at info level #8502 @michaelbeaumont
feat(kuma-cp): added comment and more explicit structure #8753 @lukidzi
feat(kuma-cp): create default target ref policies #8920 @lukidzi
feat(kuma-cp): deprecate standalone mode #8478 @jakubdyszkiewicz
feat(kuma-cp): disable the default creation of TrafficPermission and TrafficRoute #8964 @lukidzi
feat(kuma-cp): enable zone-originated MeshGateway #8919 @lobkovilya
feat(kuma-cp): enable zone-originated policies #8801 @lobkovilya
feat(kuma-cp): hash-suffix remove feature flag #8461 @lobkovilya
feat(kuma-cp): move protocol information to mesh context #8479 @lukidzi
feat(kuma-cp): require kuma.io/origin: zone label when creating zone-origination policies #8873 @lobkovilya
feat(kuma-cp): support cross-zone MeshTCPRoute #8509 @michaelbeaumont
feat(kuma-cp): support labels in ResourceMeta #8516 @lobkovilya
feat(kuma-cp): use labels for KDS sync #8762 @lobkovilya
feat(kuma-dp): add coredns logging flag #8485 @timothy-spencer
feat(kumactl): basic export command #8718 #9009 @jakubdyszkiewicz,@slonka
feat(kumactl): export in kube format #8747 @jakubdyszkiewicz
feat(kumactl): make k8s resources applicable on other clusters #8775 @jakubdyszkiewicz
feat(kumactl): more profiles in export #8780 @jakubdyszkiewicz
feat(mads): extend MADS service to use data from MeshMetric policy #8608 @slonka
feat(policy): Add MeshMetric api #8576 @Automaat
feat(policy): Implement dynamic DPP configuration based on MeshMetric policy #8793 @Automaat
feat(policy): add OpenTelemetry support for MeshMetric #8893 @Automaat
feat(policy): add MeshMetric policy e2e tests #8750 @Automaat
feat(policy): add possibility to target only gateways/sidecars #8868 @lukidzi
feat(policy): add tags to backends for support VirtualOutbounds #8744 @lukidzi
feat(policy): allow policies with from and to configuring egress #8739 @lukidzi
feat(policy): implement MeshMetric xds #8617 @Automaat
feat(policy): support MeshGateway listener matching #8551 @michaelbeaumont
feat(resources): add kuma.io/display-name label #8705 @jakubdyszkiewicz
feat(routes): handle routing if there are no TrafficRoutes #8614 @michaelbeaumont
feat(universal): add VIP_REFRESH_INTERVAL #9042 @nicoche
feat(vip): record generation metrics #9047 @nicoche
feat(xds): do not generate independent listener for vips, use additional_addresses instead #8796 @jijiechen
feat(zone): create Zone resources on zone cp automatically and generate ZoneInsights #8584 @jakubdyszkiewicz
fix(MeshCircuitBreaker): revert validator and check if config is empty #9028 @lukidzi
fix(MeshFaultInjection): handle listener protocol correctly #8815 @michaelbeaumont
fix(MeshHTTPRoute): generate better resources when using HTTPS #9038 @michaelbeaumont
fix(MeshHTTPRoute): make ordering more consistent #8715 @michaelbeaumont
fix(MeshHTTPRoute): use 302 as default status code on Universal to match Kubernetes #8409 @michaelbeaumont
fix(MeshHealthCheck): handle gateway listener protocol correctly #8812 @michaelbeaumont
fix(MeshRateLimit): remove validation of Mesh type and proxyTypes for… #9041 @lukidzi
fix(MeshRetry): handle gateway listener protocol correctly #8811 @michaelbeaumont
fix(ZoneEgress): rewrite host header on ExternalService requests #8403 @michaelbeaumont
fix(ZoneIngress): subset routing when tag is present on all subsets #8443 @michaelbeaumont
fix(ZoneWatch): stop watching Zone if ZoneInsight not found #8766 @michaelbeaumont
fix(api): secret in k8s format #8741 @jakubdyszkiewicz
fix(gateway): check if external service from context when no trafficpermission #8957 @lukidzi
fix(gateway): isolate routes to SNI matches #9054 @michaelbeaumont
fix(k8s): support injection with label kuma.io/sidecar-injection: ‘true’ #8464 @michaelbeaumont
fix(kds): avoid rare cases where onStreamClosed is called with no state #8703 @lahabana
fix(kds): fix deletion of previous zones in components #8867 @lahabana
fix(kds): fix resource sync #9014 @lukidzi
fix(kds): make status tracker work when there’s no metadata #8711 @lahabana
fix(kds): race condition on fill metadata #8872 @jakubdyszkiewicz
fix(kuma-cp): assign extensions in ZoneInsightSink constructor #8940 @bartsmykla
fix(kuma-cp): don’t remove Service if MeshGateway is absent for a while (i.e. due to renaming) #8450 @lobkovilya
fix(kuma-cp): don’t run outbound proxy generator when there is no TrafficRoute #9082 @michaelbeaumont
fix(kuma-cp): enable hash-suffix only if Zone has KDS feature #8460 @lobkovilya
fix(kuma-cp): failure during the migration from non-federated to federated zone #8938 @lobkovilya
fix(kuma-cp): fix address check to not be loopback ipv4 and ipv6 #8490 @lukidzi
fix(kuma-cp): global upgrade #8890 @lobkovilya
fix(kuma-cp): make metadata retrieve method public #8918 @lukidzi
fix(kuma-cp): return sorted list of k8s secrets #9030 @lukidzi
fix(kuma-cp): set creationTime on KDS sync #8945 @lobkovilya
fix(kuma-cp): treat envoy admin errors as 4xx #8615 @lobkovilya
fix(kuma-cp): upgrade from Zone CP without labels to new one #8839 @lobkovilya
fix(kuma-cp): use column names in sql insert #8688 @lobkovilya
fix(kuma-cp): use pagination store for secret store #9033 @lukidzi
fix(metrics): fix kds metrics for simple watchdog #8428 @slonka
fix(metrics): unify zone name in metrics for k8s and universal #8435 @slonka
fix(policy): allow period in targetRef names #8754 @michaelbeaumont
fix(policy): first lexicographically wins, kind MeshGateway with tags over kind MeshGateway #8691 @michaelbeaumont
fix(policy): improve validator messages, allow string failoverthreshold #8929 @lahabana
fix(policy): support delegated gateways #8740 @michaelbeaumont
fix(vips): skip ignored listeners #8937 @jakubdyszkiewicz

2.5.1

Released on 2023/12/12

chore(deps): bump kumahq/kuma from bbfcb64fd56d to d2ced55cd @kong-mesh
chore(deps): security update @kong-mesh
fix(kuma-cp): proxypatch should be the last policy (backport of #4931) @kong-mesh

Includes kumahq/kuma@2.5.1 changelog

feat(dataplane): ignored listeners with ignored labels in selector (backport of #8463) #8544 @kumahq
fix(ZoneIngress): subset routing when tag is present on all subsets (backport of #8443) #8475 @kumahq
fix(metrics): fix kds metrics for simple watchdog (backport of #8428) #8430 @kumahq

2.5.0

Released on 2023/11/15

Based on Kuma 2.5.0

chore(deps): build without containerd @slonka
chore(deps): bump Kong/public-shared-actions from 1.12.0 to 1.13.0 @dependabot
chore(deps): bump actions/checkout from 3 to 4 @dependabot,@lukidzi
chore(deps): bump github.com/Kong/kauth-api from 1.114.0 to 1.118.0 @dependabot
chore(deps): bump github.com/Kong/shared-go/kauth from 1.0.9 to 1.2.5 @dependabot
chore(deps): bump github.com/Kong/shared-go/rest from 1.1.2 to 1.6.2 @dependabot
chore(deps): bump github.com/aws/aws-sdk-go from 1.44.329 to 1.47.1 @dependabot
chore(deps): bump github.com/cert-manager/cert-manager from 1.12.3 to 1.13.2 @dependabot
chore(deps): bump github.com/docker/docker from 24.0.5+incompatible to 24.0.6+incompatible @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.45.0 to 0.46.0 @dependabot
chore(deps): bump github.com/hashicorp/vault/api/auth/aws from 0.4.1 to 0.5.0 @dependabot
chore(deps): bump github.com/hashicorp/vault/sdk from 0.9.2 to 0.10.2 @dependabot
chore(deps): bump github.com/open-policy-agent/opa from 0.55.0 to 0.56.0 @dependabot
chore(deps): bump github.com/open-policy-agent/opa-envoy-plugin from 0.55.0-envoy to 0.58.0-envoy @dependabot
chore(deps): bump github.com/spf13/afero from 1.9.5 to 1.10.0 @dependabot
chore(deps): bump golang.org/x/net from 0.14.0 to 0.17.0 @dependabot
chore(deps): bump google.golang.org/grpc from 1.58.3 to 1.59.0 @dependabot
chore(deps): bump kuma and add missing dependency in upgrade/kuma @lahabana
chore(deps): bump kumahq/kuma from 40da07fcd075 to bbfcb64fd @kong-mesh
chore(deps): bump shadow-utils (backport of #4768) @slonka
chore(deps): bump the go-opentelemetry-io group with 1 update @dependabot
chore(deps): bump the go-opentelemetry-io-contrib group with 1 update @dependabot
chore(deps): bump tibdex/github-app-token from 1.8.0 to 2.1.0 @dependabot
chore(deps): bump ubi9-minimal from 9.2-717 to 9.2-750.1697625013 @dependabot
chore(deps): downgrade testcontainers from v0.24.0 to v0.23.0 @jakubdyszkiewicz
chore(deps): remove pinned Helm version @michaelbeaumont
chore(deps): remove ristretto pin @michaelbeaumont
chore(deps): update shared-go @slonka
chore(deps): update shared-go kauth dependency @Automaat
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
feat(awsiam): add ability to assume roles for cross account auth @michaelbeaumont
feat(awsiam): only require role name in rolesToAssumeForAccounts @michaelbeaumont
feat(helm): remove license text for MinK zones @johnharris85
feat(kuma-cp): allow to change mtls backends with skiping validation @lukidzi
feat(kuma-cp): include tenant aware unary interceptor @michaelbeaumont
feat(kuma-cp): introduce resource limiting capability @bartsmykla
feat(kuma-cp): use ReadResourceManager for RBAC @lukidzi
feat(tenants): do not ensure mesh default mesh resources manually @jakubdyszkiewicz
feat(tenants): shard tenants for postgres @jakubdyszkiewicz
fix(awsiam): refresh GetCallerIdentity request in DP @michaelbeaumont
fix(certmanager): enable cert manager in universal global @kong-mesh
fix(kmesh-cp): extend new zone name validation to be compliant with RFC1035 dns name @Automaat
fix(kuma-cp): set cp mode for ACMCA plugin @lukidzi
fix(tenants): sharding setup @jakubdyszkiewicz

Includes kumahq/kuma@2.5.0 changelog

chore(deps): bump actions/checkout from 3 to 4 #7639 @dependabot
chore(deps): bump actions/setup-node from 3 to 4 #8109 @dependabot
chore(deps): bump cirello.io/pglock from 1.14.0 to 1.14.1 #7914 @dependabot
chore(deps): bump debian from b91baba to 7d3e881 #7697 #7852 #8053 @dependabot
chore(deps): bump distroless/base-nossl-debian11 from 6579e1f to 1ae8df5 #7635 #7985 @dependabot
chore(deps): bump distroless/static-debian11 from 312a533 to cdb2034 #7636 #7987 @dependabot
chore(deps): bump envoy from 1.27.0 to 1.27.1 #8023 @lahabana
chore(deps): bump github.com/cilium/ebpf from 0.11.0 to 0.12.2 #8093 @dependabot
chore(deps): bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 #7712 @dependabot
chore(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible #8183 @dependabot
chore(deps): bump github.com/evanphx/json-patch/v5 from 5.6.0 to 5.7.0 #7786 @dependabot
chore(deps): bump github.com/exaring/otelpgx from 0.5.1 to 0.5.2 #7857 @dependabot
chore(deps): bump github.com/go-logr/logr from 1.2.4 to 1.3.0 #8184 @dependabot
chore(deps): bump github.com/google/uuid from 1.3.0 to 1.4.0 #7609 #8188 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.43.13 to 0.46.1 #7792 #7993 #8090 @dependabot
chore(deps): bump github.com/miekg/dns from 1.1.55 to 1.1.56 #7785 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.13.0 #7611 #7854 #7991 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.27.10 to 1.29.0 #7917 #8094 #8185 @dependabot
chore(deps): bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 #7916 @dependabot
chore(deps): bump github.com/prometheus/client_model from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0 #7992 @dependabot
chore(deps): bump github.com/slok/go-http-metrics from 0.10.0 to 0.11.0 #8091 @dependabot
chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.17.0 #7989 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.23.0 to 0.26.0 #7791 #7945 #8186 @dependabot
chore(deps): bump github.com/tonglil/opentelemetry-go-datadog-propagator from 0.1.0 to 0.1.1 #7641 @dependabot
chore(deps): bump go from 1.20.7 to 1.21.1 #7799 @lukidzi
chore(deps): bump go version to 1.21.3 #8001 @slonka
chore(deps): bump go.uber.org/zap from 1.25.0 to 1.26.0 #7789 @dependabot
chore(deps): bump golang.org/x/net from 0.14.0 to 0.16.0 #7699 #7988 @dependabot
chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #8034 @michaelbeaumont
chore(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0 #7642 @dependabot
chore(deps): bump golang.org/x/text from 0.12.0 to 0.13.0 #7640 @dependabot
chore(deps): bump golangci-lint from v1.53.3 to v1.54.1 #7837 @michaelbeaumont
chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.59.0 #7698 #7788 #7856 #8097 @dependabot
chore(deps): bump helm.sh/helm/v3 from 3.12.3 to 3.13.1 #7915 #8089 @dependabot
chore(deps): bump k8s.io/apiextensions-apiserver from v0.28.1 to v0.28.2 #7918 @michaelbeaumont
chore(deps): bump sigs.k8s.io/controller-runtime from 0.15.1 to 0.16.3 #7643 #7787 #8095 @dependabot
chore(deps): bump sigs.k8s.io/gateway-api from 0.8.0-rc1 to v1.0.0 #7644 #7781 #8150 @dependabot,@michaelbeaumont
chore(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 #8187 @dependabot
chore(deps): bump the go-opentelemetry-io group with 3 updates #7784 #7920 @dependabot
chore(deps): bump the go-opentelemetry-io group with 3 updates #8347 @slonka
chore(deps): bump the go-opentelemetry-io-contrib group with 2 updates #7613 @dependabot
chore(deps): bump the go-opentelemetry-io-otel group with 2 updates #7607 @dependabot
chore(deps): bump the k8s-libs group with 3 updates #7606 #7790 #8088 @dependabot
chore(deps): bump tibdex/github-app-token from 1.8.0 to 2.1.0 #7638 #7731 #7853 @dependabot
chore(deps): bump ubuntu from ec050c3 to 2b7412e #7637 #7986 #8052 @dependabot
chore(deps): downgrade testcontainers-go from v0.24.0 to v0.23.0 #7800 @jakubdyszkiewicz
chore(deps): update gateway-api #8270 @michaelbeaumont
chore(deps): update go to 1.21.4 #8341 @slonka
chore(deps): upgrade envoy to 1.28.0 #8158 @lukidzi
chore(deps): upgrade github.com/gruntwork-io/terratest to v0.43.13 #7706 @lukidzi
chore(deps): use latest kumahq/kuma-gui #7603 #7604 #7605 #7612 #7614 #7617 #7619 #7620 #7622 #7626 #7627 #7628 #7629 #7631 #7646 #7647 #7648 #7650 #7653 #7658 #7659 #7689 #7700 #7710 #7713 #7721 #7727 #7729 #7730 #7732 #7733 #7738 #7739 #7749 #7750 #7754 #7755 #7766 #7777 #7779 #7795 #7797 #7798 #7802 #7804 #7806 #7811 #7812 #7822 #7866 #7867 #7899 #7900 #7902 #7935 #7953 #7966 #7973 #7979 #7980 #7983 #7984 #7996 #7998 #8009 #8010 #8041 #8045 #8048 #8049 #8057 #8059 #8061 #8074 #8080 #8083 #8085 #8104 #8115 #8118 #8120 #8126 #8145 #8146 #8147 #8201 #8207 #8210 #8213 #8214 #8215 #8217 #8219 #8220 #8221 #8232 #8236 #8238 #8239 @kumahq
feat(ExternalService): add skip hostname verification for external services #7633 @alparslanavci
feat(MeshLoadBalancingStrategy): new locality aware api #8082 #8112 @Automaat,@lukidzi
feat(MeshProxyPatch): allow policy to target MeshGateway resources #8044 @bartsmykla
feat(api-server): add /_overview for all types that have overviews #7999 #8173 @lahabana
feat(api-server): add filtering on list external-services and dataplanes #7810 @lahabana
feat(api-server): added query parameter to filter services by name #8154 @lukidzi
feat(api-server): implement new Global Insight endpoint #7775 #7872 @Automaat
feat(api-server): new inspect api #8148 @lahabana
feat(docs): add generated openapi docs #7975 @lahabana
feat(dp-token): allow validator to define keys not scoped to a mesh #8169 @nicoche
feat(events): configurable buffers and predicates #7735 @jakubdyszkiewicz
feat(gui): adds storeType index.html variable #7965 @johncowen
feat(helm): add configurable service port for cp ingress #8263 @lahabana
feat(helm): add loadBalancerSourceRanges on global zone sync service #7978 @slavogiez
feat(helm): add possibility to run universal zone cp on kubernetes #7924 @Automaat
feat(helm): add service-account features to egress and ingress #7864 @lahabana
feat(helm): add support for controlplane deployment annotations #7959 @slavogiez
feat(helm): allow to define service accounts annotations #7724 @lukidzi
feat(helm): allow to disable tls-checksum generation #7955 @lukidzi
feat(helm): minReadySeconds for control plane #7931 @jakubdyszkiewicz
feat(insights): jitter zone insights upsert #7925 @jakubdyszkiewicz
feat(insights): metrics of reason and result #7752 @jakubdyszkiewicz
feat(insights): multiple workers #7778 @jakubdyszkiewicz
feat(kds): add metrics to event based watchdog #7651 @jakubdyszkiewicz
feat(kds): add user-agent with useful version info #7886 @lahabana
feat(kds): allow to delay full resync when ticker #7782 @lukidzi
feat(kds): allow to disable KDS SOTW grpc api #7961 @lukidzi
feat(kds): better error handling #7868 @jakubdyszkiewicz
feat(kds): compact subscriptions in insights #7962 @jakubdyszkiewicz
feat(kds): enable delta by default #8262 @lahabana
feat(kds): execute filters on envoy admin streams #7905 @jakubdyszkiewicz
feat(kds): experimental event based watchdog #7624 @jakubdyszkiewicz
feat(kds): introduce zone health checks #7821 @michaelbeaumont
feat(kds): pass resource keys to resourceStore for delta kds #7654 @lukidzi
feat(kds): resource sync metric #7794 @jakubdyszkiewicz
feat(kds): response backoff #7997 @jakubdyszkiewicz
feat(kds): use hash-suffix for KDS sync #7519 @lobkovilya
feat(kuma-cp): add HealthCheck unary endpoint #7815 @michaelbeaumont
feat(kuma-cp): add basedOnKuma in cp_info metric #8218 @lahabana
feat(kuma-cp): add locality aware implementation for egress #8233 @Automaat
feat(kuma-cp): add support for Gateway in MeshLoadBalancingStrategy #8309 @Automaat
feat(kuma-cp): allow to disable backend validation #7901 @lukidzi
feat(kuma-cp): make OpenTelemetry control plane tracing fully configurable #7936 @michaelbeaumont
feat(kuma-cp): move KDS hash suffix under a feature flag #8363 @lobkovilya
feat(kuma-dp): support setting Envoy’s –component-log-level #8241 @michaelbeaumont
feat(kumactl): support new inspect api #8192 @lahabana
feat(rsa): add support for PKIX encoded pubkeys #8179 @nicoche
feat(store): add owner reference to the secrets #7770 @slonka
feat(store): added postgres index for owner columns #7625 @lukidzi
feat(store): allow ResourceStore to be customized #7743 @bartsmykla
feat(store): conflict metrics #7753 @jakubdyszkiewicz
feat(store): consistent gets for read replica #7923 @jakubdyszkiewicz
feat(store): support postgres reader replica #7763 @jakubdyszkiewicz
feat(tenants): add extension points for sharding #7502 @jakubdyszkiewicz
feat(transparent-proxy): add --exclude-outbound-ports-for-uids #7588 @lahabana
feat(transparent-proxy): allow to wait for xtables lock and retry when installing tproxy fails #7870 @bartsmykla
feat(xds): auto reachable services based on MeshTrafficPermission #8125 @jakubdyszkiewicz
fix(MeshFaultInjection): include tags negation in header matching #8043 @bartsmykla
fix(MeshGateway): ensure that duplicate listeners are not added when crossMesh is enabled on a listener and Routes specify hostnames #8156 @ttreptow
fix(MeshTrafficPermission): support permissive mtls #8171 @jakubdyszkiewicz
fix(TrafficRoute): use default value when choiceCount is 0 #7938 @lukidzi
fix(api-server): 400 error on admin operations on not yet connected stream #8039 @slonka
fix(api-server): always remove empty array in inspect gw api #8209 @lahabana
fix(api-server): avoid panic when there no insight for entity #8068 @lahabana
fix(api-server): dataplane overview pagination #7803 @jakubdyszkiewicz
fix(api-server): empty list instead of null #7780 @jakubdyszkiewicz
fix(api-server): improve HandleError to handle rest_errors.Error and fix Unauthenticated error handling #7818 @bartsmykla
fix(api-server): improve error handling and return status #7937 @lahabana
fix(core): better lifecycle when context is getting cancelled #8268 @lahabana
fix(envoy): remove apple flag #8314 @lukidzi
fix(gatewayapi): don’t set RefNotPermitted for GAMMA routes #7771 @michaelbeaumont
fix(gatewayapi): don’t set listener ResolvedRefs based on routes ResolvedRefs #7809 @michaelbeaumont
fix(helm): do not run webhooks on kube-system #8157 @lahabana
fix(helm): make CNI configmap and serviceaccount support custom namespace #7956 @slavogiez
fix(helm): use bitnami/kubectl image for helm hooks #7656 @lahabana
fix(insights): have subscription gc also work for zoneEgress insights #7954 @lahabana
fix(insights): improve ZoneInsight subscription management #8153 @michaelbeaumont
fix(k8s): add namespace to deleteObjectIfExist in pod controller #8063 @slonka
fix(k8s): don’t temporarily remove all AvailableServices on ZoneIngress Pod reconciliations #8301 @slonka
fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services #8168 @bartsmykla
fix(kds): call CloseSend and exit a goroutine when sync fails to start #7869 @lukidzi
fix(kds): delta delivery metric #7793 @jakubdyszkiewicz
fix(kds): don’t inc KdsGenerationErrors when context canceled #7913 @michaelbeaumont
fix(kds): experimental watchdog concurrent map write #7630 @jakubdyszkiewicz
fix(kds): set error when KDS clients fails in goroutine #7725 @lukidzi
fix(kds): try returning unavailable on app context finish #8050 @slonka
fix(kds): use deprecated method in otel #8366 @slonka
fix(kuma-cni): support port exclusion for UIDs #8319 @lobkovilya
fix(kuma-cp): change affinityTag field in MeshLoadBalancingStrategy t… #8294 @Automaat
fix(kuma-cp): cleanup interval should be calculated based on “expirationTime” for hashCache #8065 @lobkovilya
fix(kuma-cp): don’t add postStart hook to builtin gateway even if waitForDataplaneReady: true #7939 @lobkovilya
fix(kuma-cp): don’t configure RBAC rules on Prometheus listener #8172 @lobkovilya
fix(kuma-cp): fix Zone{In E}gress sync when no mesh #8129 @bartsmykla
fix(kuma-cp): meta validation compatible with Kubernetes naming rules #7976 @lobkovilya
fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes #7909 @lobkovilya
fix(kuma-cp): take proper context for resync #7805 @lukidzi
fix(kuma-cp): use GetConsistent store when validating default mesh resources #7949 @lukidzi
fix(kuma-cp): using policy name with “.” causes hash to be inserted in the wrong place on the zone #8240 @lobkovilya
fix(kuma-dp): advise user to check pod events when data plane rejected by webhooks #8257 @jijiechen
fix(kuma-dp): fix build #8282 @Automaat
fix(kuma-dp): fix incorrect dataplane name due to mangled env vars #8199 @bartsmykla
fix(kumactl): add --mesh parameter to inspect <policy> #7696 @lahabana
fix(observability): add annotation to make observability while running CNI work #8330 @slonka
fix(policy): improve targetRef name and tags validation #7972 @alparslanavci
fix(store): fix passing logs to pglock #8040 @slonka
fix(store): use customizer for postgres ro pool #7769 @jakubdyszkiewicz
fix(transparent-proxy): fix –wait flags for iptables legacy #8364 @bartsmykla
fix(xds): backwards compatibility on access logs paths #7662 @jakubdyszkiewicz
fix(xds): use stable hashes for outbound cluster names #8081 @michaelbeaumont
perf(insights): fetch dp overviews once #7652 @jakubdyszkiewicz
perf(insights): fetch external services once #7796 @lukidzi
perf(insights): refresh only changed #7737 @jakubdyszkiewicz
perf(store): postgres transactions #7995 @jakubdyszkiewicz
perf(xds): put the Gatewaylisteners in the Proxy #8051 @lahabana

2.4.4

Released on 2023/11/06

chore(deps): bump kumahq/kuma from eeeb2a1eb7bd to b3131e7b6 @kong-mesh
chore(deps): security update @kong-mesh
fix(awsiam): refresh GetCallerIdentity request in DP (backport of #4674) @kong-mesh

Includes kumahq/kuma@2.4.4 changelog

chore(deps): security update #8054 #8205 @kumahq
fix(MeshTrafficPermission): support permissive mtls (backport of #8171) #8176 @kumahq
fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services (backport of #8168) #8198 @kumahq
fix(kuma-cp): fix ZoneIngress/ZoneEgress sync when no mesh (backport of #8129) #8134 @kumahq

2.4.3

Released on 2023/10/12

chore(deps): bump kumahq/kuma from 80db656df125 to eeeb2a1eb @kong-mesh
chore(deps): bump opa to 0.57 @slonka

Includes kumahq/kuma@2.4.3 changelog

chore(deps): bump envoy from 1.27.0 to 1.27.1 #8025 @lahabana
chore(deps): bump go version to 1.21.3 (backport of #8001) #8012 @kumahq
chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.57.1 #8032 @michaelbeaumont

2.3.3

Released on 2023/10/12

chore(deps): build without containerd (backport of #4229) @kong-mesh
chore(deps): bump kumahq/kuma from c56df80922be to 815b26399 @kong-mesh
chore(deps): bump opa to 0.57 @slonka
chore(deps): security update @kong-mesh
fix(audit): use background context (backport of #4035) @kong-mesh

Includes kumahq/kuma@2.3.3 changelog

chore(deps): bump envoy from 1.26.4 to 1.26.5 #8024 @lahabana
chore(deps): bump go from 1.20.7 to 1.21.1 #7825 @kumahq
chore(deps): bump go version to 1.21.3 (backport of #8001) #8016 @kumahq
chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.57.1 #8033 @michaelbeaumont
chore(deps): bump golangci-lint from v1.53.3 to v1.53.3 #7838 #7848 @kumahq
chore(deps): security update #7734 @kumahq
chore(deps): update CoreDNS to v1.11.1 (backport of #7523) #7529 @kumahq
fix(kuma-cp): set error when KDS clients fails in goroutine (backport of #7725) #7833 @kumahq
fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes (backport of #7909) #7927 @kumahq
fix(metrics): hijacker should not pass accept-encoding (backport of #7572) #7576 @kumahq

2.2.5

Released on 2023/10/12

chore(deps): build without containerd (backport of #4229) @kong-mesh
chore(deps): bump kumahq/kuma from 858fa348ff7f to 467b9011a @kong-mesh
chore(deps): bump opa to 0.57 @slonka
fix(audit): use background context (backport of #4035) @kong-mesh

Includes kumahq/kuma@2.2.5 changelog

chore(deps): bump envoy from 1.25.9 to 1.25.10 #8026 @lahabana
chore(deps): bump go from 1.20.7 to 1.21.1 #7827 @kumahq
chore(deps): bump go version to 1.21.3 (backport of #8001) #8013 @kumahq
chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.57.1 #8031 @michaelbeaumont
chore(deps): bump golangci-lint from v1.53.3 to v1.53.3 #7842 #7844 @kumahq
chore(deps): security update #7718 @kumahq
chore(deps): update CoreDNS to v1.11.1 (backport of #7523) #7531 @kumahq
fix(kuma-cp): set error when KDS clients fails in goroutine (backport of #7725) #7832 @kumahq
fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes (backport of #7909) #7928 @kumahq
fix(metrics): hijacker should not pass accept-encoding (backport of #7572) #7579 @kumahq

2.1.7

Released on 2023/10/12

chore(deps): bump kumahq/kuma from bc5859add936 to f8e669466 @kong-mesh
fix(audit): use background context (backport of #4035) @kong-mesh

Includes kumahq/kuma@2.1.7 changelog

chore(deps): bump envoy from 1.24.10 to 1.24.11 #8027 @lahabana
chore(deps): bump go from 1.20.7 to 1.21.1 #7829 @kumahq
chore(deps): bump go version to 1.21.3 (backport of #8001) #8015 @kumahq
chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.57.1 #8030 @michaelbeaumont
chore(deps): security update #7716 @kumahq
chore(deps): update CoreDNS to v1.11.1 (backport of #7523) #7532 @kumahq
fix(kuma-cp): set error when KDS clients fails in goroutine (backport of #7725) #7830 @kumahq
fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes (backport of #7909) #7926 @kumahq
fix(metrics): hijacker should not pass accept-encoding (backport of #7572) #7577 @kumahq

2.0.8

Released on 2023/10/12

chore(deps): bump github.com/docker/distribution from 2.8.2-beta.1 to 2.8.2 @michaelbeaumont
chore(deps): bump kumahq/kuma from 4ecbae54501e to 6ecaf21ff @kong-mesh,@michaelbeaumont
chore(deps): security update @kong-mesh
fix(audit): use background context (backport of #4035) @kong-mesh

Includes kumahq/kuma@2.0.8 changelog

chore(deps): bump envoy from 1.24.10 to 1.24.11 #8028 @lahabana
chore(deps): bump go from 1.18 to 1.21.1 #7533 #7828 @kumahq,@michaelbeaumont
chore(deps): bump go version to 1.21.3 (backport of #8001) #8014 @kumahq
chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.57.1 #8029 @michaelbeaumont
chore(deps): bump golangci-lint from v1.53.3 to v1.53.3 #7841 #7847 @kumahq
chore(deps): security update #7406 #7453 #7717 @kumahq
chore(deps): update CoreDNS to v1.11.1 (backport of #7523) #7528 @kumahq
fix(containerd): only build cgroups on linux (backport of #7408) #7423 @kumahq
fix(kuma-cp): set error when KDS clients fails in goroutine (backport of #7725) #7831 @kumahq
fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes (backport of #7909) #7930 @kumahq
fix(metrics): hijacker should not pass accept-encoding (backport of #7572) #7580 @kumahq
fix(sec): get rid of dependency on containerd (backport of #7387) #7389 @kumahq

2.4.2

Released on 2023/10/02

chore(deps): build without containerd (backport of #4229) @kong-mesh
chore(deps): bump kumahq/kuma from ecac076c0da2 to 80db656df @kong-mesh
chore(deps): security update @kong-mesh
feat(awsiam): add ability to assume roles for cross account auth (backport of #4344) @kong-mesh
feat(awsiam): only require role name in rolesToAssumeForAccounts (backport of #4365) @kong-mesh
fix(auth): better error message when invalid token supplied (backport of #4429) @kong-mesh

Includes kumahq/kuma@2.4.2 changelog

chore(deps): bump go from 1.20.7 to 1.21.1 #7826 @kumahq
chore(deps): security update #7719 @kumahq
feat(kds): add user-agent with useful version info (backport of #7886) #7897 @kumahq
feat(kds): better error handling (backport of #7868) #7877 @kumahq
feat(transparent-proxy): allow to wait for xtables lock and retry when installing tproxy fails (backport of #7870) #7892 @kumahq
fix(kds): call CloseSend and exit a goroutine when sync fails to start (backport of #7869) #7883 @kumahq
fix(kuma-cp): set error when KDS clients fails in goroutine (backport of #7725) #7834 @kumahq
fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes (backport of #7909) #7929 @kumahq

2.4.1

Released on 2023/09/08

chore(deps): bump kumahq/kuma from d7115ca38696 to ecac076c0 @kong-mesh

Includes kumahq/kuma@2.4.1 changelog

chore(deps): bump sigs.k8s.io/controller-runtime from 0.15.1 to 0.16.1 #7680 @kumahq
chore(deps): bump sigs.k8s.io/gateway-api from 0.8.0-rc1 to 0.8.0 #7664 @kumahq
chore(deps): bump the go-opentelemetry-io-contrib group with 2 updates (backport of #7613) #7678 @kumahq
chore(deps): bump the go-opentelemetry-io-otel group with 2 updates (backport of #7607) #7670 @kumahq
chore(deps): bump the k8s-libs group with 3 updates (backport of #7606) #7688 @kumahq
fix(kumactl): add --mesh parameter to inspect <policy> (backport of #7696) #7703 @kumahq
fix(xds): backwards compatibility on access logs paths (backport of #7662) #7694 @kumahq

2.4.0

Released on 2023/08/29

chore(deps): bump github.com/Kong/kauth-api from 1.95.0 to 1.113.0 @dependabot
chore(deps): bump github.com/Kong/shared-go/kauth from 1.0.1 to 1.0.5 @dependabot
chore(deps): bump github.com/Kong/shared-go/rest from 1.0.3 to 1.1.2 @dependabot
chore(deps): bump github.com/aws/aws-sdk-go from 1.44.268 to 1.44.329 @dependabot
chore(deps): bump github.com/cert-manager/cert-manager from 1.12.0 to 1.12.3 @dependabot
chore(deps): bump github.com/docker/docker from 24.0.0+incompatible to 24.0.5+incompatible @dependabot
chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.41.16 to 0.43.12 @dependabot
chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.2 to 0.7.4 @dependabot
chore(deps): bump github.com/hashicorp/vault/api from 1.9.1 to 1.9.2 @dependabot
chore(deps): bump github.com/hashicorp/vault/api/auth/aws from 0.4.0 to 0.4.1 @dependabot
chore(deps): bump github.com/hashicorp/vault/sdk from 0.9.0 to 0.9.2 @dependabot
chore(deps): bump github.com/kong/shared-go/kauth to 0.8.0 @michaelbeaumont
chore(deps): bump github.com/open-policy-agent/opa from 0.51.0 to 0.55.0 @dependabot,@michaelbeaumont
chore(deps): bump github.com/open-policy-agent/opa-envoy-plugin from 0.51.0-envoy to 0.55.0-envoy @dependabot
chore(deps): bump kumahq/kuma from 0f4429297271 to d7115ca38 @bartsmykla,@kong-mesh
chore(deps): bump the k8s-libs group with 1 update @dependabot
chore(deps): bump ubi9-minimal from 9.2-484 to 9.2-717 @dependabot
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
chore(release): merge release-2.3 @michaelbeaumont
feat(insights): trigger computation @jakubdyszkiewicz
feat(kmesh-cp): add information about authorization data in requests when connection from zone to global cp @Automaat
feat(kmesh-cp): disable external CA validation on global @jakubdyszkiewicz
feat(kmesh-cp): do not assert tenants activity update @jakubdyszkiewicz
feat(kuma-cp): add opentelemetry instrumentation for api-server Konnect client @michaelbeaumont
feat(kuma-cp): add trace spans for zone auth konnect calls @michaelbeaumont
feat(kuma-cp): add tracing to kauth pdp calls @michaelbeaumont
feat(kuma-cp): create tenants resources concurrently @lukidzi
feat(kuma-cp): removed 2nd call and unused CP key @lukidzi
feat(license): support zone licensing @lahabana
feat(security): add action to scan images we build @slonka
feat(security): fix typo @slonka
feat(security): rename the workflow and remove dot slash @slonka
feat(security): rename workflow run-name @slonka
feat(security): switch to repo uses @slonka
feat(tracing): add TenantsWs spans @michaelbeaumont
fix(.github): fix scan docker images @lahabana
fix(audit): use background context @jakubdyszkiewicz
fix(kmesh-cp): revert “add information about authorization data in re… @Automaat
fix(kmesh-cp): tenants activity context and proceed with filter chain @jakubdyszkiewicz
fix(kuma-cp): refresh only specific mesh when event triggered @lukidzi
fix(license): rename zones to mesh_zones @lahabana

Includes kumahq/kuma@2.4.0 changelog

chore(deps): bump CoreDNS from v1.10.1 to v1.11.1 #7493 #7523 @michaelbeaumont
chore(deps): bump cirello.io/pglock from 1.13.0 to 1.14.0 #7554 @dependabot
chore(deps): bump debian from 3d868b5 to b91baba #7403 #7547 @dependabot
chore(deps): bump envoy to 1.26.3 #7267 @lukidzi
chore(deps): bump github.com/cilium/ebpf from 0.10.0 to 0.11.0 #7205 @dependabot
chore(deps): bump github.com/emicklei/go-restful/v3 from 3.10.2 to 3.11.0 #7552 @dependabot
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.1 to 1.0.2 #7159 @dependabot
chore(deps): bump github.com/exaring/otelpgx from 0.5.0 to 0.5.1 #7337 @dependabot
chore(deps): bump github.com/jackc/pgx/v5 from 5.4.1 to 5.4.3 #7273 #7474 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.27.8 to 1.27.10 #7336 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.20.1 to 0.23.0 #7122 #7514 @dependabot
chore(deps): bump go.opentelemetry.io/proto/otlp from 0.20.0 to 1.0.0 #7272 @dependabot
chore(deps): bump go.uber.org/zap from 1.24.0 to 1.25.0 #7472 @dependabot
chore(deps): bump golang.org/x/net from 0.11.0 to 0.14.0 #7206 #7475 @dependabot
chore(deps): bump golang.org/x/sys from 0.9.0 to 0.11.0 #7204 #7471 @dependabot
chore(deps): bump golang.org/x/text from 0.10.0 to 0.12.0 #7203 #7476 @dependabot
chore(deps): bump golangci-lint from v1.51.2 to v1.53.3 #7334 @lahabana
chore(deps): bump gonum.org/v1/gonum from 0.13.0 to 0.14.0 #7553 @dependabot
chore(deps): bump google.golang.org/grpc from 1.56.0 to 1.57.0 #7123 #7202 #7373 @dependabot
chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 #7124 @dependabot
chore(deps): bump helm.sh/helm/v3 from 3.12.1 to 3.12.3 #7270 #7515 @dependabot
chore(deps): bump k8s.io/apiextensions-apiserver from 0.27.3 to 0.27.4 #7372 @michaelbeaumont
chore(deps): bump sigs.k8s.io/controller-runtime from 0.15.0 to 0.15.1 #7470 @dependabot
chore(deps): bump sigs.k8s.io/controller-tools from 0.12.0 to 0.13.0 #7271 #7550 @dependabot
chore(deps): bump sigs.k8s.io/gateway-api from 0.7.1-0.20230727082008-1764e458047d to 0.8.0-rc1 #7371 #7513 @dependabot,@michaelbeaumont
chore(deps): bump the k8s-libs group with 3 updates #7335 #7549 @dependabot
chore(deps): bump ubuntu from 0bced47 to ec050c3 #7546 @dependabot
chore(deps): update go from 1.20.5 to 1.20.6 #7414 @slonka
chore(deps): update testcontainers-go to 0.22.0 #7477 @slonka
chore(deps): update to go 1.20.7 #7429 @slonka
chore(deps): upgrade envoy to 1.26.4 #7367 @lukidzi
chore(deps): upgrade envoy to 1.27.0 #7411 @lukidzi
chore(deps): use latest kumahq/kuma-gui #7095 #7096 #7097 #7100 #7113 #7127 #7128 #7156 #7169 #7171 #7193 #7219 #7255 #7260 #7261 #7274 #7279 #7284 #7305 #7308 #7320 #7322 #7328 #7331 #7340 #7341 #7343 #7345 #7350 #7357 #7369 #7370 #7376 #7378 #7379 #7385 #7388 #7413 #7421 #7430 #7444 #7478 #7479 #7480 #7481 #7482 #7487 #7498 #7499 #7503 #7509 #7510 #7511 #7517 #7518 #7522 #7524 #7537 #7538 #7548 #7557 #7566 #7568 #7569 #7571 #7575 #7581 #7582 #7584 @kumahq
chore(release): merge release-2.3 #7099 @michaelbeaumont
feat(MeshHealthCheck): allow top level targetRef kind MeshGateway #7194 @michaelbeaumont
feat(MeshRetry): allow top level targetRef kind MeshGateway #7190 @michaelbeaumont
feat(MeshTimeout): allow top level targetRef.kind MeshGateway #7137 @michaelbeaumont
feat(VirtualOutbound): support multizone #7407 @jakubdyszkiewicz
feat(api-server): add isTargetRefBased in /policies #7561 @lahabana
feat(api-server): add service unavailable error #7501 @slonka
feat(api-server): allow WebService customization in plugins #7497 @michaelbeaumont
feat(api-server): error status is an int #7162 @jakubdyszkiewicz
feat(cni): add retry for CNI config file check #7215 @StuAtKong
feat(insights): add event to trigger computation #7506 @jakubdyszkiewicz
feat(insights): change metrics to milliseconds #7491 @jakubdyszkiewicz
feat(k8s): show targetRef kind/name in kubectl output #7116 @michaelbeaumont
feat(kuma-cp): add ‘renewDeadline’ and ‘leaseDuration’ config params #7448 @lobkovilya
feat(kuma-cp): add info about presence of auth token in zoneInsight #7598 @Automaat
feat(kuma-cp): add observability to k8s auth cache #7192 @jakubdyszkiewicz
feat(kuma-cp): add opentelemetry traces to pgx #7216 @michaelbeaumont
feat(kuma-cp): add tracing to KDS server #7160 @michaelbeaumont
feat(kuma-cp): allow to disable resources count metrics #7304 @lukidzi
feat(kuma-cp): better xds metrics #7208 @jakubdyszkiewicz
feat(kuma-cp): block application container start until dp is ready #7583 @lukidzi
feat(kuma-cp): extend ZoneInsight api with information about usage of… #7563 @Automaat
feat(kuma-cp): force routing through zone egress #7558 @jakubdyszkiewicz
feat(kuma-cp): implement TLS listener for prometheus #7534 @lukidzi
feat(kuma-cp): introduce OpenTelemetry tracing #7153 @michaelbeaumont
feat(kuma-cp): support Datadog propagation for tracing #7168 @michaelbeaumont
feat(kuma-dp): don’t require NET_BIND_SERVICE capability #7276 @michaelbeaumont
feat(kumactl): define User-Agent #7307 @mmorel-35
feat(metrics): expose kube controller manager metrics #7158 @jakubdyszkiewicz
feat(metrics): support OpenMetrics from applications #7125 @AyushSenapati
feat(observability): add traceId in error messages #7329 @lahabana
feat(observability): components metrics #7209 @jakubdyszkiewicz
feat(policy): add targetRef.kind MeshGateway #7114 @michaelbeaumont
feat(watchdog): don’t call onError if error was Canceled #7401 @michaelbeaumont
feat(xds): filter-chain builder constructor require name #7131 @mmorel-35
feat(xds): named resources (clusters) builders require name #7104 @mmorel-35
feat(xds): named resources (listeners) builders require name #7105 @mmorel-35
feat(xds): named resources (routes configuration) builders require name #7106 @mmorel-35
feat(zoneproxies): check empty listeners #7562 @jakubdyszkiewicz
fix(MeshTrafficPermission): use serviceName instead of resource name for egress MTP #7225 @lukidzi
fix(api-server): return 400 when PUT/POST resource is invalid #7560 @lahabana
fix(containerd): only build cgroups on linux #7408 @slonka
fix(dataplane_watchdog): fix outdated comment #7565 @nicoche
fix(egress): routing using MeshHTTPRoute and VirtualOutbound #7536 @jakubdyszkiewicz
fix(insights): rewrite insights to allow more efficiency #7375 @lahabana
fix(intercp): properly track idleness of pool connections #7323 @michaelbeaumont
fix(k8s): tolerate unknown appProtocol #7133 @michaelbeaumont
fix(kuma-cp): cancel OnTick when watchdog stopped #7221 @michaelbeaumont
fix(kuma-cp): do not require certs on https api port #7102 @jakubdyszkiewicz
fix(kuma-cp): don’t fail when 2 headless services pointing to the same service #7282 @lukidzi
fix(kuma-cp): don’t leak goroutine on every tick in SimpleWatchdog #7348 @lukidzi
fix(kuma-cp): don’t return from opentelemetry Start #7157 @michaelbeaumont
fix(kuma-cp): handle advertised address in zone ingress #7332 @jakubdyszkiewicz
fix(kuma-cp): handle external services with permissive mtls #7179 @jakubdyszkiewicz
fix(kuma-cp): order resources for building VIPs #7333 @lukidzi
fix(kuma-cp): pass context via snapshot reconciler to generateCerts #7231 @michaelbeaumont
fix(kuma-cp): put metadata xds callbacks before sync #7230 @lobkovilya
fix(kuma-cp): universal mode don’t log on every lock acquire attempt #7593 @michaelbeaumont
fix(kuma-dp): pass sockets in metadata from dp to cp #7218 @lahabana
fix(kumactl): treat 404 as resource not found error #7297 @slonka
fix(metrics): hijacker should not pass accept-encoding #7572 @jakubdyszkiewicz
fix(sec): get rid of dependency on containerd #7387 @slonka
perf(kuma-cp): trim zone ingress and service insights #7098 @jakubdyszkiewicz
perf(xds): use aggregated mesh context for zone proxies #7449 @jakubdyszkiewicz
perf(zoneingress): only pick resources from proper mesh #7415 @jakubdyszkiewicz

2.1.6

Released on 2023/08/15

chore(deps): bump github.com/docker/distribution from 2.8.2-beta.1 to 2.8.2 @michaelbeaumont
chore(deps): bump kumahq/kuma from 9b24e08ef23a to bc5859add @kong-mesh,@michaelbeaumont
chore(deps): security update @kong-mesh

Includes kumahq/kuma@2.1.6 changelog

chore(deps): bump go from 1.18 to 1.20.7 #7446 #7489 @michaelbeaumont
chore(deps): security update #7405 #7442 @kumahq
fix(sec): get rid of dependency on containerd (backport of #7387) #7390 @kumahq

2.2.4

Released on 2023/08/07

chore(deps): bump github.com/docker/distribution from 2.8.1 to 2.8.2 @michaelbeaumont
chore(deps): bump kumahq/kuma from 5a31d8ce5239 to 858fa348f @kong-mesh,@michaelbeaumont
chore(deps): security update @kong-mesh
chore(deps): update containerd to v1.7.3 @michaelbeaumont

Includes kumahq/kuma@2.2.4 changelog

chore(deps): security update #7454 @kumahq
chore(deps): update go from 1.20.5 to 1.20.6 (backport of #7414) #7417 @kumahq
chore(deps): update to go 1.20.7 (backport of #7429) #7432 @kumahq
chore(deps): upgrade envoy to 1.25.9 #7366 @lukidzi
fix(containerd): only build cgroups on linux (backport of #7408) #7422 @kumahq
fix(kuma-cp): don’t leak goroutine on every tick in SimpleWatchdog (backport of #7348) #7355 @kumahq
fix(kuma-cp): order resources for building VIPs (backport of #7333) #7362 @kumahq
fix(sec): get rid of dependency on containerd (backport of #7387) #7391 @kumahq

2.3.2

Released on 2023/08/04

chore(deps): bump kumahq/kuma from 45dd7ae494d4 to c56df8092 @kong-mesh
chore(deps): update containerd to v1.7.3 @michaelbeaumont

Includes kumahq/kuma@2.3.2 changelog

chore(deps): security update #7443 @kumahq
chore(deps): update go from 1.20.5 to 1.20.6 (backport of #7414) #7419 @kumahq
chore(deps): update to go 1.20.7 (backport of #7429) #7435 @kumahq
chore(deps): upgrade envoy to 1.26.4 #7368 @lukidzi
fix(containerd): only build cgroups on linux (backport of #7408) #7425 @kumahq
fix(kuma-cp): don’t leak goroutine on every tick in SimpleWatchdog (backport of #7348) #7351 @kumahq
fix(kuma-cp): order resources for building VIPs (backport of #7333) #7359 @kumahq
fix(sec): get rid of dependency on containerd (backport of #7387) #7392 @kumahq

2.1.5

Released on 2023/08/03

chore(deps): upgrade envoy to 1.24.10 #7363 @lukidzi
chore(deps): bump kumahq/kuma from 60a2d39e7d56 to 7ba3e3579 @kong-mesh

Includes kumahq/kuma@2.1.5 changelog

chore(deps): upgrade envoy to 1.24.10 #7363 @lukidzi
fix(kuma-cp): don’t leak goroutine on every tick in SimpleWatchdog (backport of #7348) #7352 @kumahq
fix(kuma-cp): order resources for building VIPs (backport of #7333) #7361 @kumahq

2.0.7

Released on 2023/07/28

chore(deps): upgrade envoy to 1.24.10 #7364 @lukidzi
chore(deps): bump kumahq/kuma from d8705e29be4c to 4ecbae545 @kong-mesh

Includes kumahq/kuma@2.0.7 changelog

chore(deps): upgrade envoy to 1.24.10 #7364 @lukidzi
fix(kuma-cp): order resources for building VIPs (backport of #7333) #7358 @kumahq

1.9.8

Released on 2023/07/28

chore(deps): upgrade envoy to 1.24.10 #7365 @lukidzi
fix(kuma-cp): order resources for building VIPs (backport of #7333) #7360 @kumahq

2.3.1

Released on 2023/07/21

update Envoy version to 1.26.3 which includes fix for CVE-2023-35945
chore(deps): bump kumahq/kuma from bba743f5ae56 to 45dd7ae49 @kong-mesh,@michaelbeaumont

Includes kumahq/kuma@2.3.1 changelog

chore(deps): bump envoy to 1.26.3 which fix CVE-2023-35945 #7266 @lukidzi
chore(deps): use latest kumahq/kuma-gui #7096 @kumahq
fix(MeshTrafficPermission): use serviceName instead of resource name for egress MTP (backport of #7225) #7233 @kumahq
fix(kuma-cp): cancel OnTick when watchdog stopped (backport of #7221) #7241 @kumahq
fix(kuma-cp): do not require certs on https api port (backport of #7102) #7111 @kumahq
fix(kuma-cp): don’t fail when 2 headless services pointing to the same service (backport of #7282) #7295 @kumahq
fix(kuma-cp): handle external services with permissive mtls (backport of #7179) #7187 @kumahq
fix(kuma-cp): pass context via snapshot reconciler to generateCerts (backport of #7231) #7250 @kumahq
fix(kuma-cp): put metadata xds callbacks before sync (backport of #7230) #7244 @kumahq
fix(kumactl): treat 404 as resource not found error (backport of #7297) #7303 @kumahq

2.2.3

Released on 2023/07/21

update Envoy version to 1.25.8 which includes fix for CVE-2023-35945

chore(deps): bump kumahq/kuma from 2e775e96a30e to fd7bb16d0 @kong-mesh

Includes kumahq/kuma@2.2.3 changelog

chore(deps): bump envoy to 1.25.8 which fix CVE-2023-35945 #7265 @lukidzi
fix(kuma-cp): cancel OnTick when watchdog stopped (backport of #7221) #7242 @kumahq
fix(kuma-cp): do not require certs on https api port (backport of #7102) #7110 @kumahq
fix(kuma-cp): don’t fail when 2 headless services pointing to the same service (backport of #7282) #7291 @kumahq
fix(kuma-cp): handle external services with permissive mtls (backport of #7179) #7185 @kumahq
fix(kuma-cp): pass context via snapshot reconciler to generateCerts (backport of #7231) #7254 @kumahq
fix(kuma-cp): put metadata xds callbacks before sync (backport of #7230) #7245 @kumahq

2.1.4

Released on 2023/07/21

update Envoy version to 1.24.9 which includes fix for CVE-2023-35945
chore(deps): bump kumahq/kuma from a2cf8c765290 to 60a2d39e7 @kong-mesh

Includes kumahq/kuma@2.1.4 changelog

chore(deps): bump envoy to 1.24.9 which fix CVE-2023-35945 #7264 @lukidzi
fix(kuma-cp): cancel OnTick when watchdog stopped (backport of #7221) #7240 @kumahq
fix(kuma-cp): don’t fail when 2 headless services pointing to the same service (backport of #7282) #7294 @kumahq
fix(kuma-cp): handle external services with permissive mtls (backport of #7179) #7188 @kumahq
fix(kuma-cp): pass context via snapshot reconciler to generateCerts (backport of #7231) #7251 @kumahq
fix(kuma-cp): put metadata xds callbacks before sync (backport of #7230) #7247 @kumahq

2.0.6

Released on 2023/07/21

update Envoy version to 1.24.9 which includes fix for CVE-2023-35945

chore(deps): bump kumahq/kuma from c92a5afd5f13 to d8705e29b @kong-mesh

Includes kumahq/kuma@2.0.6 changelog

chore(deps): bump envoy to 1.24.9 which fix CVE-2023-35945 #7263 @lukidzi
fix(kuma-cp): don’t fail when 2 headless services pointing to the same service (backport of #7282) #7293 @kumahq
fix(kuma-cp): handle external services with permissive mtls (backport of #7179) #7186 @kumahq

1.9.7

Released on 2023/07/21

update Envoy version to 1.24.9 which includes fix for CVE-2023-35945

chore(deps): bump kumahq/kuma from af41f882c68c to 0aaf921a0 @kong-mesh

2.3.0

Released on 2023/06/26

chore(deps): bump github.com/Kong/kauth-api from 1.94.0 to 1.100.0 @dependabot
chore(deps): bump github.com/aws/aws-sdk-go from 1.44.241 to 1.44.268 @dependabot
chore(deps): bump github.com/cert-manager/cert-manager from 1.11.0 to 1.12.0 @dependabot
chore(deps): bump github.com/docker/docker from 23.0.3+incompatible to 24.0.0+incompatible @dependabot
chore(deps): bump github.com/hashicorp/vault/api from 1.9.0 to 1.9.1 @dependabot
chore(deps): bump github.com/hashicorp/vault/sdk from 0.8.1 to 0.9.0 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.18.0 to 0.19.0 @dependabot
chore(deps): bump kumahq/kuma from d98ca8aacc47 to c96910d2e @kong-mesh,@lahabana,@slonka
chore(deps): bump otel @slonka
chore(deps): bump sigs.k8s.io/controller-runtime from 0.15.0-beta.0 to 0.15.0 @dependabot
chore(deps): bump tibdex/github-app-token from 1.7.0 to 1.8.0 @dependabot
chore(deps): bump ubi9-minimal from 9.1.0-1829 to 9.2-484 @dependabot
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
chore(release): merge release-2.2 to master @slonka
feat(MeshGlobalRateLimit): add header based rate limiting @Automaat
feat(MeshGlobalRateLimit): add ratelimit service auth @bartsmykla
feat(MeshGlobalRateLimit): allow to configure MeshSubset in top level… @Automaat
feat(MeshGlobalRateLimit): secure communication between ratelimit service and DPP with TLS @Automaat
feat(MeshGlobalRateLimit): securing communication between DPP and ratelimit service MADR @Automaat
feat(MeshOPA): support builtin gateway listeners @michaelbeaumont
feat(config): remove konnect section from config @jakubdyszkiewicz
feat(kuma-cp): added authz integration with kauth-pdp for api-server @lukidzi
feat(kuma-cp): alternative store that supports multitenancy @jakubdyszkiewicz
feat(kuma-cp): rename variable and add helm config @lukidzi
feat(kuma-cp): use kauth to validate KDS token @lukidzi
feat(mink): add endpoint to provision a zone @slonka
feat(mink): fix running memory storage type and rls @slonka
feat(mink): only initialize konnect client when the auth type is konnect @slonka
feat(mink): owner tenant id fix @slonka
feat(mink): provisioning a zone with kauth token @slonka
feat(mink): reenable konnect specific migrations test @slonka
feat(mink): rename the endpoint and payload to match front-end @slonka
feat(mink): skip authnz on konnect health endpoint @jakubdyszkiewicz
feat(mink): skip vcp header check on /health @slonka
feat(multitenancy): introduce RLS @slonka
feat(multitenancy): put tenant id in postgres events @jakubdyszkiewicz
feat(multitenancy): rls for existing user @jakubdyszkiewicz
fix(MeshOPA): apply policy to correct inbounds @michaelbeaumont
fix(deployment): turn off cancel in progress for mink charts update @slonka
fix(helm): add cert-manager RBAC @johnharris85
fix(helm): update HPA API version @johnharris85
fix(kauth): refresh service client tokens @iamnande
fix(konnect): remove Bearer from the token @lukidzi
fix(kuma-cp): change the order of columns in primary key @lukidzi
fix(kuma-cp): disable kds token component when deployment type konnect @lukidzi
fix(kuma-cp): fixed naming of a path @lukidzi
fix(kuma-cp): fixed naming of envs and added missing env def @lukidzi
fix(kuma-cp/run): don’t fail if valid kuma-cp args are passed @michaelbeaumont
fix(mink): properly quote rls user in migration @slonka
fix(mink): properly quote user for rls double escape @slonka
fix(mink): use shared go claims for konnect client @slonka
fix(rls): do not recreate db conns in a loop @jakubdyszkiewicz

Includes kumahq/kuma@2.3.0 changelog

chore(deps): bump Envoy from v1.25.4 to v1.26.2 #6638 #6938 @lukidzi,@michaelbeaumont
chore(deps): bump cirello.io/pglock from 1.11.0 to 1.13.0 #6817 #6927 @dependabot
chore(deps): bump controller-runtime from v0.14.6 to v0.15.0 #6809 #6832 @dependabot,@michaelbeaumont
chore(deps): bump gateway-api from v0.7.0 to c9540a9cf448 #6614 #6674 #6735 #6771 #6840 #6912 #7020 @dependabot,@michaelbeaumont
chore(deps): bump github.com/containernetworking/plugins from 1.2.0 to 1.3.0 #6738 @dependabot
chore(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible #6751 @dependabot
chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.0 to 0.11.1 #6866 @dependabot
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.1 to 1.0.1 #6617 #6737 @dependabot
chore(deps): bump github.com/go-logr/zapr from 1.2.3 to 1.2.4 #6742 @dependabot
chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.15.2 to 4.16.2 #6864 #6928 #7000 @dependabot
chore(deps): bump github.com/lib/pq from 1.10.7 to 1.10.9 #6554 #6650 @dependabot
chore(deps): bump github.com/miekg/dns from 1.1.53 to 1.1.54 #6651 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.9.2 to 2.10.0 #6689 #6768 #6925 #7002 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.27.6 to 1.27.8 #6818 #7001 @dependabot
chore(deps): bump github.com/prometheus/client_golang from 1.14.0 to 1.15.1 #6555 #6692 @dependabot
chore(deps): bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 #6691 @dependabot
chore(deps): bump github.com/prometheus/common from 0.42.0 to 0.44.0 #6690 #6814 @dependabot
chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 #6926 @dependabot
chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.4 to 2.1.6 #6867 #7003 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.18.0 to 0.20.1 #6708 #6736 @dependabot
chore(deps): bump go.opentelemetry.io/proto/otlp from 0.19.0 to 0.20.0 #7004 @dependabot
chore(deps): bump golang from 1.20.4 to 1.20.5 #6587 #6828 #6959 @lahabana,@lukidzi
chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 #6712 @dependabot
chore(deps): bump golang.org/x/sys from 0.7.0 to 0.8.0 #6693 @dependabot
chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 #6687 @dependabot
chore(deps): bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 #6652 @dependabot
chore(deps): bump k8s.io/kubectl from 0.26.3 to 0.27.2 #6813 @dependabot
chore(deps): bump sigs.k8s.io/controller-tools from 0.11.3 to 0.12.0 #6586 #6688 @dependabot
chore(deps): use latest kumahq/kuma-gui #6548 #6552 #6562 #6576 #6606 #6616 #6629 #6640 #6655 #6656 #6659 #6661 #6662 #6664 #6675 #6678 #6701 #6702 #6710 #6715 #6753 #6756 #6762 #6774 #6775 #6776 #6777 #6791 #6798 #6801 #6803 #6807 #6811 #6821 #6822 #6823 #6824 #6830 #6833 #6834 #6835 #6837 #6847 #6850 #6851 #6871 #6875 #6877 #6878 #6879 #6882 #6885 #6904 #6914 #6919 #6921 #6932 #6933 #6937 #6939 #6941 #6946 #6949 #6954 #6958 #6975 #6978 #6980 #6982 #6984 #6994 #6998 #7005 #7009 #7011 #7012 #7013 #7015 #7038 #7060 #7074 #7096 @kumahq
feat(MeshCircuitBreaker): support MeshGateways #6706 @michaelbeaumont
feat(MeshGateway): add TLS passthrough listeners #6922 @michaelbeaumont
feat(MeshGateway): support termination on TLS listeners #6952 @michaelbeaumont
feat(MeshHealthCheck): support MeshGateway #6743 @michaelbeaumont
feat(MeshLoadBalancingStrategy): add builtin gateway support #6800 @michaelbeaumont
feat(MeshRetry): add host selection predicates #6346 @johnharris85
feat(api-server): add ability to get k8s format of a resource #6673 @lahabana
feat(api-server): make errors compliant with aip 193 #7017 @lahabana
feat(client): Consolidate HTTP Client #6849 @mmorel-35
feat(cni): k8s make namespace configurable #6721 @mmorel-35
feat(config): improve configurability #6583 @slonka
feat(docker/kumactl): make entrypoint consistent with kuma-cp and kuma-dp images #6596 @bartsmykla
feat(envoyadmin): support passing kds envoy operations via http proxy #6915 @jakubdyszkiewicz
feat(helm): Add logOutputPath support to chart #6649 @ashman1984
feat(helm): add possibility to extend secrets for cp in helm charts when reusing kuma charts #6883 @Automaat
feat(helm): enable NodePort customization #6770 @mmorel-35
feat(helm): remove hostNetwork: true from CNI DaemonSet #6599 @michaelbeaumont
feat(helm): set readOnlyRootFilesystem on CNI, more explicit templates #6604 @michaelbeaumont
feat(helm): validate zone name on install #6739 @mmorel-35
feat(insights): include tenant id in insights info key #6804 @jakubdyszkiewicz
feat(insights): include tenant id in rate limitter key #6808 @jakubdyszkiewicz
feat(intercp): pass tenant id #6856 @jakubdyszkiewicz
feat(intercp): use global tenant for catalog request #6863 @jakubdyszkiewicz
feat(k8s): add read-only root FS to sidecar #6681 @dascole
feat(k8s): show Dataplane services in kubectl output #6725 @michaelbeaumont
feat(kds): configurable server stream interceptors #6697 @jakubdyszkiewicz
feat(kds): multitenancy #6723 @jakubdyszkiewicz
feat(kds): opt-in insecure skip verify in zone cp client #6991 @jakubdyszkiewicz
feat(kuma-cp): top-level MeshHTTPRoute targetRef for MeshTimeout #7016 @lobkovilya
feat(kuma-cp): add possibility to configure concurrent reconciliation… #7010 @Automaat
feat(kuma-cp): add possibility to configure kubernetes client qps and… #6951 @Automaat
feat(kuma-cp): allow to override resource store plugin #6887 @jakubdyszkiewicz
feat(kuma-cp): allow to specify protocol for globalZone sync service #6842 @lukidzi
feat(kuma-cp): implement MeshTrafficPermisson for ExternalServices with ZoneEgress #7061 @lukidzi
feat(kuma-cp): improve BuildRules algorithm #6973 @lobkovilya
feat(kuma-cp): introduce tag first Virtual Outbound model #7076 @Automaat
feat(kuma-cp): multitenancy adjustments #6705 @jakubdyszkiewicz
feat(kuma-cp): multitenant counter metrics #6707 @jakubdyszkiewicz
feat(kuma-cp): remove unnecessary reconciliation of pods on configmap… #7014 @Automaat
feat(kuma-cp): support MeshHTTPRoute targetRef #6983 @lobkovilya
feat(mesh): allow disabling default policy creation #6481 #6931 @johnharris85
feat(meshaccesslog): use “type” to express oneof #6676 @lobkovilya
feat(meshtrace): use “type” to express oneof #6679 @lobkovilya
feat(mtls): generate certificates for Address and AdvertisedAddress for Dataplane and Ingress #6584 @mmorel-35
feat(multitenancy): postgres events #6799 @jakubdyszkiewicz
feat(policy): add MeshTCPRoute #6806 #6873 #6888 @bartsmykla
feat(resources): retry upsert on resource already exist #7022 @jakubdyszkiewicz
feat(tls): remove commonName in certificate generation #6627 @mmorel-35
feat(ui): add mode in the config in the index.html #6942 @lahabana
feat(webhook): make init ordering configurable first/last #7070 @johnharris85
feat(webhook): warn/fail if containers use same UID as sidecar #7042 @johnharris85
fix(GatewayAPI): convert HTTP header names to lowercase #6704 @michaelbeaumont
fix(GatewayAPI): don’t panic if an HTTPRoute references a Gateway with a nonexistent GatewayClass #6722 @michaelbeaumont
fix(GatewayAPI): don’t share HTTPRoute conditions between parentRefs #6537 @michaelbeaumont
fix(GatewayAPI): npe errors #6852 @michaelbeaumont
fix(GatewayAPI): reconcile Gateways on Secret changes #6754 @michaelbeaumont
fix(MeshGateway): don’t strip ports from host #6755 @michaelbeaumont
fix(MeshGateway): tweak route precedence to match Gateway API #6843 @michaelbeaumont
fix(MeshGatewayInstance): don’t overwrite annotations/labels in managed Service #7069 @michaelbeaumont
fix(MeshHTTPRoute): assume default catch all path (any path starting with “/”) in route match when not explicitly set #6993 @bartsmykla
fix(MeshHTTPRoute): only configure HTTP outbounds or with an explicit matching rule #6876 @michaelbeaumont
fix(MeshHTTPRoute): rename Prefix to PathPrefix #6578 @michaelbeaumont
fix(MeshHTTPRoute): require at least one match #6796 @michaelbeaumont
fix(MeshRetry): set MeshGateway retry on routes not virtual hosts #7029 @michaelbeaumont
fix(MeshRetry): support MeshGateway #6779 @lobkovilya
fix(MeshTimeout): only apply Mesh targeted HTTP timeouts for MeshGateway #6981 @michaelbeaumont
fix(MeshTimeout): set idle timeout on gateways, use route action instead of hcm #6884 @michaelbeaumont
fix(MeshTrace): create spans with MeshGateway #7043 @michaelbeaumont
fix(api-server): service-insights should never return items: null #6648 @lahabana
fix(config): add delta xds flag to defaults #7085 @johnharris85
fix(gateway): don’t skip retry policy with retry methods #6896 @bartsmykla
fix(helm): change CNI priorityClass from system-cluster-critical to system-node-critical #6634 @michaelbeaumont
fix(helm): correct appProtocol configurations for https #7087 @johnharris85
fix(helm): update HPA API version #6792 @johnharris85
fix(helm): use correct secret for CP CA in ingress/egress #6663 @michaelbeaumont
fix(insights): react on events #6826 @jakubdyszkiewicz
fix(kds): trim system namespace suffix from names of plugin originated policies when syncing resources from global to zones in multizone mode. #7019 @bartsmykla
fix(kuma-cp): add backward compatible reading of virtual outbound from config #7088 @Automaat
fix(kuma-cp): add missing validation for MeshTimeout #7035 @lobkovilya
fix(kuma-cp): make finalizer tenant aware #6929 @lukidzi
fix(kuma-cp): make store changes processing more reliable #6728 @lukidzi
fix(kuma-cp): make zone insight context independent from parent #6909 @lukidzi
fix(kuma-cp): race condition when proxy connects to the same CP in less than KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY #6568 @lobkovilya
fix(kuma-cp): replace err with log when TargetRef can’t be resolved #7032 @lobkovilya
fix(kuma-cp): reset idleTimeout from the old Timeout policy #6747 @lobkovilya
fix(kuma-cp): use port instead of target port of a headless service #7063 @jakubdyszkiewicz
fix(kuma-cp): wait between the proxy termination and its deregistration #6533 @lobkovilya
fix(kuma-dp): honour app content-type #6783 @AyushSenapati
fix(kumactl): return after loading configuration from memory #6518 @lukidzi
fix(multitenancy): global tenant in intercp when creating certs #6789 @jakubdyszkiewicz
perf(k8s): don’t reconcile all pods when a service changes #6986 @lahabana
perf(k8s): omit fetching other dataplanes when vips are in the config map #6940 @jakubdyszkiewicz
refactor(kds): remove unnecessary function nesting for MapZoneTokenSigningKeyGlobalToPublicKey resource mapper in kds context #7018 @bartsmykla

2.2.2

Released on 2023/06/21

chore(deps): bump kumahq/kuma from e30ace1c5856 to 2e775e96a @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh

Includes kumahq/kuma@2.2.2 changelog

chore(deps): bump go version from 1.20.3 to 1.20.5 #6987 @lukidzi
chore(deps): upgrade envoy to 1.25.7 #6967 @lukidzi
fix(MeshGatewayInstance): don’t overwrite annotations/labels in managed Service (backport of #7069) #7081 @kumahq
fix(gateway): don’t skip retry policy with retry methods (backport of #6896) #6899 @kumahq
fix(kuma-cp): make store changes processing more reliable (backport of #6728) #6765 @kumahq

2.1.3

Released on 2023/06/21

chore(deps): bump kumahq/kuma from 7233fbcad813 to a2cf8c765 @kong-mesh
chore(deps): upgrade kuma version and Envoy to 1.24.8 @lukidzi
chore(deps): upgrade ubi image from 8.7 to 9.1 @lukidzi

Includes kumahq/kuma@2.1.3 changelog

chore(deps): upgrade envoy to 1.24.8 #6969 @lukidzi
chore(deps): use latest kumahq/kuma-gui #6573 #6575 #6886 @kumahq
fix(MeshGatewayInstance): don’t overwrite annotations/labels in managed Service (backport of #7069) #7078 @kumahq
fix(docker/kumactl): add entrypoint to kumactl img (backport #6593) #6595 @mergify
fix(gateway): don’t skip retry policy with retry methods (backport of #6896) #6900 @kumahq
fix(kuma-cp): make store changes processing more reliable (backport of #6728) #6767 @kumahq

2.0.5

Released on 2023/06/21

chore(deps): bump kumahq/kuma from f4117ec0c431 to c92a5afd5 @kong-mesh
chore(deps): upgrade kuma version and Envoy to 1.24.8 @lukidzi
chore(deps): upgrade ubi image from 8.7 to 9.1 @lukidzi

Includes kumahq/kuma@2.0.5 changelog

chore(deps): upgrade envoy to 1.24.8 #6968 @lukidzi
fix(MeshGatewayInstance): don’t overwrite annotations/labels in managed Service (backport of #7069) #7080 @kumahq
fix(gateway): don’t skip retry policy with retry methods (backport of #6896) #6901 @kumahq
fix(kuma-cp): make store changes processing more reliable (backport of #6728) #6763 @kumahq

1.9.6

Released on 2023/06/21

chore(deps): bump kumahq/kuma from 22ae8e02c752 to af41f882c @kong-mesh
chore(deps): fix security update for 1.9 @slonka
chore(deps): security update @kong-mesh
chore(deps): upgrade kuma version and Envoy to 1.24.8 @lukidzi
chore(deps): upgrade ubi image from 8.7 to 9.1 @lukidzi

2.2.1

Released on 2023/05/11

chore(deps): bump kumahq/kuma from 9a2812c6b3a4 to e30ace1c5 @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh

Includes kumahq/kuma@2.2.1 changelog

chore(deps): bump golang from 1.20.2 to 1.20.3 #6597 @mergify
chore(deps): use latest kumahq/kuma-gui #6574 @kumahq
fix(docker/kumactl): add entrypoint to kumactl img (backport #6593) #6594 @mergify

2.2.0

Released on 2023/04/14

chore(deps): bump actions/checkout from 2 to 3 @dependabot
chore(deps): bump actions/github-script from 5 to 6 @dependabot
chore(deps): bump actions/setup-go from 3 to 4 @dependabot
chore(deps): bump github.com/aws/aws-sdk-go from 1.44.187 to 1.44.236 @dependabot
chore(deps): bump github.com/emicklei/go-restful/v3 from 3.10.1 to 3.10.2 @dependabot
chore(deps): bump github.com/golang/protobuf from 1.5.2 to 1.5.3 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.41.9 to 0.41.16 @dependabot
chore(deps): bump github.com/hashicorp/vault/api from 1.8.3 to 1.9.0 @dependabot
chore(deps): bump github.com/hashicorp/vault/api/auth/aws from 0.3.0 to 0.4.0 @dependabot
chore(deps): bump github.com/hashicorp/vault/sdk from 0.7.0 to 0.8.1 @dependabot
chore(deps): bump github.com/open-policy-agent/opa from 0.49.0 to 0.49.1 @dependabot
chore(deps): bump github.com/open-policy-agent/opa-envoy-plugin from 0.48.0-envoy to 0.49.2-envoy @dependabot
chore(deps): bump gopkg.in/natefinch/lumberjack.v2 from 2.0.0 to 2.2.1 @dependabot
chore(deps): bump kumahq/kuma from c53b7eee1b7d to 9a2812c6b @kong-mesh,@lahabana
chore(deps): bump peter-evans/create-pull-request from 4 to 5 @dependabot
chore(deps): bump ubi8/ubi-minimal from 8.7 to 8.7-1085 @dependabot
chore(deps): security update @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kong-mesh
feat(MeshOPA): composable policies @jakubdyszkiewicz
feat(authn): cache konnect auth tokens @jakubdyszkiewicz
feat(authn): kauth integration @jakubdyszkiewicz
feat(ca/certmanager): allow a CA to be provided in config @michaelbeaumont
feat(ca/certmanager): option to set certificate dnsNames @michaelbeaumont
feat(ca/certmanager): rename conf.ca to conf.caCert (backport #2963) @mergify
feat(docker): update to UBI 9 images @michaelbeaumont
feat(kuma-cp): add auth method for delta kds @lukidzi
feat(policies): implement MeshGlobalRateLimit policy @Automaat,@michaelbeaumont
fix(acm): use region of Private CA instead of control plane @michaelbeaumont
fix(ca/certmanager): don’t block unnecessarily long, decrease wait interval @michaelbeaumont
fix(ca/certmanager): don’t busy wait when getting certs @michaelbeaumont
fix(ca/certmanager): don’t force common name to be set in CSRs @michaelbeaumont
fix(docker): set entrypoint of base UBI image @michaelbeaumont
fix(docker): set user as UID in image rather than name @lahabana
fix(k8s): fix storage version migrator spinning @slonka
fix(kuma-cp): don’t let CA requests for other meshes block generation @michaelbeaumont
fix(vault): token renewal after secret change fix @bartsmykla

Includes kumahq/kuma@2.2.0 changelog

Modify helm.sh script to make sure no duplicate manifests will be present in packaged chart #6512 @bartsmykla
chore(deps): bump Envoy from 1.22.2 to 1.22.7 #5982 @lahabana
chore(deps): bump actions/setup-go from 3 to 4 #6311 @dependabot
chore(deps): bump cirello.io/pglock from 1.10.0 to 1.11.0 #6149 @dependabot
chore(deps): bump coredns from 1.10.0 to 1.10.1 #6227 @michaelbeaumont
chore(deps): bump github.com/cilium/ebpf from 0.9.1 to 0.10.0 #6152 @dependabot
chore(deps): bump github.com/containerd/cgroups from 1.0.4 to 1.1.0 #5878 @dependabot
chore(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 #6051 @dependabot
chore(deps): bump github.com/emicklei/go-restful/v3 from 3.10.1 to 3.10.2 #6261 @dependabot
chore(deps): bump github.com/envoyproxy/go-control-plane from 0.10.3 to 0.11.0 #5947 @dependabot
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.1 to 0.10.1 #6307 #6316 @dependabot
chore(deps): bump github.com/go-logr/logr from 1.2.3 to 1.2.4 #6454 @dependabot
chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.4.3 to 4.5.0 #6071 @dependabot
chore(deps): bump github.com/golang/protobuf from 1.5.2 to 1.5.3 #6263 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.41.9 to 0.41.15 #5924 #6076 #6258 @dependabot
chore(deps): bump github.com/miekg/dns from 1.1.50 to 1.1.53 #6150 #6262 #6453 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.7.0 to 2.9.2 #5928 #6043 #6074 #6172 #6208 #6260 #6355 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.25.0 to 1.27.6 #5874 #6072 #6167 #6259 #6271 #6353 #6450 @dependabot
chore(deps): bump github.com/prometheus/common from 0.39.0 to 0.42.0 #6073 #6273 @dependabot
chore(deps): bump github.com/prometheus/prometheus from 0.41.0 to 0.42.0 #5927 @dependabot
chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0 #6475 @dependabot
chore(deps): bump github.com/spiffe/go-spiffe from 0.0.0-20190820222348-6adcf1eecbcc to github.com/spiffe/go-spiffe/v2 #6151 @dependabot
chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.2 to 2.1.4 #6313 #6451 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.15.0 to 0.18.0 #6075 @dependabot
chore(deps): bump github.com/vishvananda/netns to 0.0.4 #6103 @mmorel-35
chore(deps): bump go from 1.18 to 1.20.2 #6179 #6279 @jakubdyszkiewicz,@lahabana
chore(deps): bump go.uber.org/multierr from 1.9.0 to 1.11.0 #6264 #6452 @dependabot
chore(deps): bump golang.org/x/net from 0.5.0 to 0.8.0 #6003 #6042 #6209 @dependabot
chore(deps): bump golang.org/x/sys from 0.4.0 to 0.7.0 #5948 #6476 @dependabot
chore(deps): bump golang.org/x/text from 0.6.0 to 0.8.0 #6004 #6211 @dependabot
chore(deps): bump google.golang.org/grpc from 1.52.0 to 1.54.0 #5877 #5946 #6354 @dependabot
chore(deps): bump google.golang.org/protobuf from 1.28.1 to 1.30.0 #6274 #6309 @dependabot
chore(deps): bump gopkg.in/natefinch/lumberjack.v2 from 2.0.0 to 2.2.1 #5949 @dependabot
chore(deps): bump helm.sh/helm/v3 from 3.11.0 to 3.11.2 #5962 #6265 @dependabot
chore(deps): bump k8s.io/apiextensions-apiserver from 0.26.1 to 0.26.3 #6168 #6318 @dependabot
chore(deps): bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 #6207 @dependabot
chore(deps): bump k8s.io/kubectl from 0.26.1 to 0.26.3 #6171 #6308 @dependabot
chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.1 to 0.14.6 #5875 #5926 #6210 #6455 @dependabot
chore(deps): bump sigs.k8s.io/controller-tools from 0.11.1 to 0.11.3 #5876 #5925 @dependabot
chore(deps): bump sigs.k8s.io/gateway-api from v0.5.1 to v0.6.0 #5559 @michaelbeaumont
chore(deps): bump tibdex/github-app-token from 1.7.0 to 1.8.0 #5879 @dependabot
chore(deps): remove dependency on github.com/prometheus/prometheus #6204 @lahabana
chore(deps): security update #6397 #6473 @kumahq
chore(deps): use latest kumahq/kuma-gui #5866 #5883 #5911 #5931 #5937 #5940 #5952 #5958 #6002 #6067 #6078 #6155 #6158 #6161 #6176 #6197 #6216 #6243 #6302 #6317 #6345 #6360 #6373 #6400 #6402 #6425 @kumahq
feat(GatewayAPI): support HTTPRoutePathRedirect #6437 @michaelbeaumont
feat(GatewayAPI): support ResponseHeaderModifier in HTTPRoute #6000 @michaelbeaumont
feat(GatewayAPI): update to v0.6.2 #6293 @michaelbeaumont
feat(MeshAccessLog): support OpenTelemetry #5999 @michaelbeaumont
feat(MeshGateway): auto host rewrite for gateway route #6328 @bartsmykla
feat(MeshGateway): support deployment customization for MeshGatewayInstance #6348 #6388 @johnharris85
feat(MeshHTTPRoute): add RequestMirror filter #6064 @lobkovilya
feat(MeshHTTPRoute): add header matching #5943 @michaelbeaumont
feat(MeshHTTPRoute): add path modifier to redirect #5918 @lobkovilya
feat(MeshHTTPRoute): cross-zone support #5984 @michaelbeaumont
feat(MeshProxyPatch): add json patch support #6281 @bartsmykla
feat(MeshRetry): add host selection predicates #6465 @johnharris85
feat(MeshTrace): add support for opentelemetry trace backend #5992 @frzifus
feat(api-server): manual mTLS #5979 @jakubdyszkiewicz
feat(api-server): whoami endpoint #6120 @jakubdyszkiewicz
feat(auth): separate authenticators for dp and zone proxy #5991 @jakubdyszkiewicz
feat(helm): add default CNI resources #6287 @michaelbeaumont
feat(helm): dynamic admission server port #6344 @d4kine
feat(helm): make egress resources configurable #6286 @dascole
feat(helm): make it possbile to install universal cp on k8s #5913 @slonka
feat(k8s): add a configuration option to list allowed service accounts #6505 @slonka
feat(k8s): add annotation prometheus.metrics.kuma.io/aggregate-application-address to scrape custom address on k8s #6289 @slonka
feat(k8s): set kubectl.kubernetes.io/default-container pod annotation #6055 @michaelbeaumont
feat(kds): allow running non-tls KDS server #6145 @slonka
feat(kds): delta KDS #6278 #6358 @lukidzi
feat(kds): enable nack backoff #5894 @jakubdyszkiewicz
feat(kuma-cp): allow Mesh default resources regeneration without deletion and restart #6223 @michaelbeaumont
feat(kuma-cp): init container first by default #5857 @zekth
feat(kumactl): generate public key command #5917 @jakubdyszkiewicz
feat(kumactl): remove ca-cert or skip-verify requirement #6140 @jakubdyszkiewicz
feat(persistence): change lib/pq to pgx #6257 @slonka
feat(persistence): create pgx store #6359 #6457 @slonka
feat(policies): extend policy matching API to work with egress and external services #6379 @lobkovilya
feat(policies): implement MeshLoadBalancingStrategy #6117 #6163 #6202 #6390 @lobkovilya
feat(tokens): allow kid to be a string #5944 @jakubdyszkiewicz
feat(tokens): issue tokens offline #5919 @jakubdyszkiewicz
feat(tokens): offline validation #6085 @jakubdyszkiewicz
feat(tproxy): make tproxy v2 and CNI v2 default #6083 @bartsmykla
fix(GatewayAPI): always set an explicit HTTPRoute Parents in status #6367 @michaelbeaumont
fix(GatewayAPI): correctly handle invalid backendRefs #6428 @michaelbeaumont
fix(MeshHTTPRoute): filter URLRewrite should be configured with ClusterSpecifier #5920 @lobkovilya
fix(MeshRetry): guard against multiple previous priorities #6496 @johnharris85
fix(MeshTimeout): apply MeshTimeout defaults when one of from or to section is missing #5902 @Automaat
fix(ca/builtin): be less verbose when creating CA secrets #6217 @michaelbeaumont
fix(docker): set SHELL to an existing binary #6192 @michaelbeaumont
fix(docker): use no ssl image #5560 @slonka
fix(helm): add appProtocol to services we create #6157 @lahabana
fix(helm): don’t include taint controller env when cni disabled #6148 @lukidzi
fix(helm): dont specify a default type for extraSecrets #5932 @wheelerlaw
fix(helm): make it possible to use custom CA in egress and ingress #5980 @lahabana
fix(helm): postgres client cert setup #6335 @slonka
fix(helm): remove universal on kubernetes env vars that are supposed to be provided via secrets #5938 @slonka
fix(helm): security contexts for ebpf cleanup hook #6235 @bartsmykla
fix(helm): set CP memory limits, by default equal to memory request, set CP CPU requests #6127 @michaelbeaumont
fix(helm): set migration container resources and securityContext #6255 @michaelbeaumont
fix(helm): set readOnlyRootFilesystem/runAsNonRoot, create a ServiceAccount in correct release namespace #6121 @michaelbeaumont
fix(helm): set readOnlyRootFilesystem/runAsUser/runAsGroup on ingress/egress deployments #6164 @michaelbeaumont
fix(helm): upgrade CRDs instead of installing missing CRDs #6403 @jakubdyszkiewicz
fix(helm): use emptyDir at /tmp with CP #6162 @michaelbeaumont
fix(kuma-cni): ipv6 iptables with provided gateway and CNI V2 #6374 @jakubdyszkiewicz
fix(kuma-cp): allow names of the resource to be longer and validate the length #6123 @lukidzi
fix(kuma-cp): change default value for KubeOutboundsAsVIPs #6057 @Automaat
fix(kuma-cp): change validation of resources synced to global #6178 @jakubdyszkiewicz
fix(kuma-cp): don’t let CA requests for other meshes block generation #6282 @michaelbeaumont
fix(kuma-cp): traffic split with internal and external service #5904 @lobkovilya
fix(kuma-cp): zone ingress mixes services with the same name in different meshes #6364 @lobkovilya
fix(kumactl): don’t check compatibility when talking to a preview version #6143 @lahabana
fix(policy): merging of policies results in not applying policy on some outbounds #6460 @jakubdyszkiewicz
fix(tproxy): allow disabling ipv6 for tproxy #5923 @bartsmykla

2.1.2

Released on 2023/04/07

chore(deps): security update @kong-mesh
feat(ca/certmanager): allow a CA to be provided in config (backport #2952) @mergify
feat(ca/certmanager): rename conf.ca to conf.caCert @michaelbeaumont
feat(cert-manager): option to set certificate dnsNames (backport #2855) @mergify
fix(acm): use region of Private CA instead of control plane (backport #3101) @mergify
fix(ca/certmanager): don’t block unnecessarily long, decrease wait interval (backport #2951) @mergify
fix(ca/certmanager): don’t busy wait when getting certs (backport #2938) @mergify
fix(kuma-cp): don’t let CA requests for other meshes block generation (backport #2953) @mergify
fix(plugin/vault): token renew when secret change (backport #3025) @mergify
fix(plugins/ca/certmanager): don’t force common name to be set in CSRs (backport #2795) @mergify

Includes kumahq/kuma@2.1.2 changelog

chore(deps): bump coredns from 1.10.0 to 1.10.1 #6237 @mergify
chore(deps): remove dependency on github.com/prometheus/prometheus (backport #6204) #6205 @mergify
chore(deps): security update #6062 #6392 #6471 @kumahq
chore(deps): upgrade envoy to v1.22.10 #6483 @michaelbeaumont
fix(kuma-cni): ipv6 iptables with provided gateway and CNI V2 (backport #6374) #6376 @mergify
fix(kuma-cp): add components in runtime (backport #6350) #6381 @mergify
fix(kuma-cp): don’t let CA requests for other meshes block generation (backport #6282) #6284 @mergify
fix(policy): matcher with same key not the same value (backport #6460) #6466 @mergify

2.0.4

Released on 2023/04/07

chore(deps): security update @kong-mesh
fix(acm): use region of Private CA instead of control plane (backport #3101) @mergify
fix(plugin/vault): token renew when secret change (backport #3025) @mergify
fix(plugins/ca/certmanager): don’t force common name to be set in CSRs (backport #2795) @mergify

Includes kumahq/kuma@2.0.4 changelog

chore(deps): bump coredns from 1.10.0 to 1.10.1 #6238 @mergify
chore(deps): bump gorestful and jwt #6221 @lahabana
chore(deps): remove dependency on github.com/prometheus/prometheus (backport #6204) #6206 @mergify
chore(deps): security update #6063 #6395 #6472 @kumahq
chore(deps): upgrade envoy to v1.22.10 (backport #6483) #6484 @mergify
fix(kuma-cni): ipv6 iptables with provided gateway and CNI V2 (backport #6374) #6377 @mergify
fix(policy): matcher with same key not the same value (backport #6460) #6467 @mergify

1.9.5

Released on 2023/04/07

fix(plugin/vault): token renew when secret change (backport #3025) @mergify
fix(plugins/ca/certmanager): don’t force common name to be set in CSRs (backport #2795) @mergify

1.8.7

Released on 2023/04/07

fix(plugin/vault): token renew when secret change (backport #3025) @mergify

Includes kumahq/kuma@1.8.7 changelog

chore(deps): bump envoy to 1.24.9 which fix CVE-2023-35945 #7262 @lukidzi
fix(kuma-cp): don’t fail when 2 headless services pointing to the same service (backport of #7282) #7292 @kumahq

2.1.1

Released on 2023/02/16

chore(deps): security update @kong-mesh
chore(deps): use latest Kong/kong-mesh-gui @kongmesh
feat(makefiles): remove explicit envoy version @jakubdyszkiewicz
fix(ghaction): rename helm release action @jakubdyszkiewicz
fix(makefiles): implicit BASE_KUMA_VERSION (backport #2720) @mergify

Includes kumahq/kuma@2.1.1 changelog

chore(deps): bump Envoy from 1.22.2 to 1.22.7 #5985 @mergify
chore(deps): security update #5965 @kumahq
chore(deps): use latest kumahq/kuma-gui #5912 #5915 #5977 @kumahq
feat(api-server): manual mTLS (backport #5979) #5981 @mergify
fix(helm): use custom CA in egress and ingress too (backport #5980) #5993 @mergify
fix(tproxy): fix disabling ipv6 for tproxy (backport #5923) #5953 @mergify

2.0.3

Released on 2023/02/16

feat(makefiles): remove explicit envoy version @jakubdyszkiewicz
fix(ghaction): rename helm release action (backport #2729) @mergify
fix(makefiles): implicit BASE_KUMA_VERSION (backport #2720) @mergify

Includes kumahq/kuma@2.0.3 changelog

chore(deps): bump Envoy from 1.22.2 to 1.22.7 #5986 @mergify
chore(deps): security update #5762 #5969 @kumahq
fix(tproxy): fix disabling ipv6 for tproxy (backport #5923) #5954 @mergify

1.9.4

Released on 2023/02/16

chore(deps): security update @kong-mesh
feat(makefiles): remove explicit envoy version @jakubdyszkiewicz
fix(ghaction): rename helm release action (backport #2729) @mergify
fix(makefiles): implicit BASE_KUMA_VERSION (backport #2720) @mergify

1.8.6

Released on 2023/02/16

chore(deps): security update @kong-mesh
feat(makefiles): remove explicit envoy version @jakubdyszkiewicz
fix(ghaction): rename helm release action (backport #2729) @mergify
fix(makefiles): implicit BASE_KUMA_VERSION (backport #2720) @mergify

Includes kumahq/kuma@1.8.6 changelog

chore(deps): upgrade envoy to 1.24.8 #6966 @lukidzi
fix(MeshGatewayInstance): don’t overwrite annotations/labels in managed Service (backport of #7069) #7079 @kumahq
fix(gateway): don’t skip retry policy with retry methods (backport of #6896) #6902 @kumahq
fix(kuma-cp): make store changes processing more reliable (backport of #6728) #6764 @kumahq

1.7.7

Released on 2023/02/16

chore(deps): security update @kong-mesh
feat(makefiles): remove explicit envoy version @jakubdyszkiewicz
fix(ghaction): rename helm release action (backport #2729) @mergify
fix(makefiles): implicit BASE_KUMA_VERSION (backport #2720) @mergify

2.1.0

Released on 2023/02/15

Built on top of Kuma 2.1.0

Added the MeshOPA policy. This policy is compliant with new targetRef standard. This policy will replace OPA Policy.
RBAC now supports to and from selectors in targetRef based policies
Added the ability to specify list of users that have admin rights by default.
Limited the number of OPA policies you can configure to one because of OPA limitations.

Includes kumahq/kuma@2.1.0 changelog

chore(deps): bump alpine from 3.16.2 to 3.17.0 #5308 #5375 @dependabot
chore(deps): bump github.com/Masterminds/semver/v3 from 3.1.1 to 3.2.0 #5377 @dependabot
chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 #5457 @dependabot
chore(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.12 #5600 @dependabot
chore(deps): bump github.com/containernetworking/plugins from 1.1.1 to 1.2.0 #5733 @dependabot
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.13 to 0.9.1 #5277 #5311 #5460 @dependabot
chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.4.2 to 4.4.3 #5428 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.40.24 to 0.41.8 #5310 #5354 #5426 #5542 #5688 @dependabot,@lahabana
chore(deps): bump github.com/kumahq/kuma-net from 0.8.7 to 0.8.10 #5298 #5513 @lukidzi
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.7.0 #5319 #5351 #5687 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.23.0 to 1.25.0 #5275 #5313 #5539 #5789 @dependabot
chore(deps): bump github.com/prometheus/client_golang from 1.13.0 to 1.14.0 #5274 #5323 @dependabot
chore(deps): bump github.com/prometheus/common from 0.37.0 to 0.39.0 #5483 #5523 @dependabot
chore(deps): bump github.com/prometheus/prometheus from 0.39.1 to 0.41.0 #5320 #5353 #5376 #5456 #5526 #5546 @dependabot
chore(deps): bump github.com/sethvargo/go-retry from 0.2.3 to 0.2.4 #5524 @dependabot
chore(deps): bump github.com/shopspring/decimal from 1.2.0 to 1.3.1 #5790 @dependabot
chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.15.0 #5273 #5788 @dependabot
chore(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 #5525 @dependabot
chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 #5427 @dependabot
chore(deps): bump golang.org/x/net from 0.1.0 to 0.5.0 #5315 #5459 #5623 @dependabot
chore(deps): bump golang.org/x/sys from 0.1.0 to 0.4.0 #5312 #5430 #5621 @dependabot
chore(deps): bump golang.org/x/text from 0.4.0 to 0.6.0 #5458 #5624 @dependabot
chore(deps): bump golang.org/x/time from 0.1.0 to 0.3.0 #5325 #5429 @dependabot
chore(deps): bump google.golang.org/grpc from 1.50.1 to 1.52.0 #5352 #5686 @dependabot
chore(deps): bump helm.sh/helm/v3 from 3.8.1 to 3.11.0 #5592 #5791 @dependabot
chore(deps): bump istio.io/pkg from v0.0.0-20201202160453-b7f8c8c88ca3 to v0.0.0-20221115183735-2aabb09bf0bb #5330 @mmorel-35
chore(deps): bump k8s.io/apiextensions-apiserver from 0.25.3 to 0.25.4 #5328 @mmorel-35
chore(deps): bump k8s.io/client-go from 0.25.3 to 0.25.4 #5316 @dependabot
chore(deps): bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 #5812 @dependabot
chore(deps): bump sigs.k8s.io/controller-runtime from 0.13.0 to 0.13.1 #5276 @dependabot
chore(deps): bump sigs.k8s.io/controller-tools from 0.10.0 to 0.11.1, #5541 @dependabot
chore(deps): bump tibdex/github-app-token from 1.6.0 to 1.8.0 #5434 #5879 @dependabot
chore(deps): install dev tools and split if more repos #5528 @lukidzi
chore(deps): security update #5761 @kumahq
chore(deps): update coreDNS to 1.10.0 #5626 @lahabana
chore(deps): update to emicklei/go-restful/v3 v3.10.1 and remove /tokens #5324 @dependabot
chore(deps): upgrade k3d #5518 @lukidzi
chore(deps): use latest kumahq/kuma-gui #5265 #5272 #5281 #5307 #5321 #5332 #5346 #5371 #5388 #5405 #5484 #5486 #5509 #5572 #5589 #5619 #5628 #5675 #5685 #5700 #5724 #5732 #5737 #5772 #5800 #5805 #5823 #5826 #5843 #5851 #5863 #5866 #5883 @kumahq
chore(deps): use sigs.k8s.io/yaml #5215 @mmorel-35
feat(MeshAccessLog): add OmitEmptyValues to MeshAccessLog format #5302 @mmorel-35
feat(MeshGatewayInstance): respect kuma.io/mesh label #5256 @michaelbeaumont
feat(MeshGatewayRoute): response header filter #5334 @michaelbeaumont
feat(api-server): ability to set rootUrl for GUI and API #5295 @lahabana
feat(api-server): add name search to dataplane overview #5340 @lahabana
feat(api-server): contain matches on name and tags #5606 @lahabana
feat(build): consistent docker images #5343 @slonka
feat(build): idempotent build #5291 #5358 #5403 #5404 #5407 #5440 @slonka
feat(gateway): add support for match header PRESENT and ABSENT #5739 @lahabana
feat(gui): serve index from all paths without extension #5357 @lahabana
feat(helm): add tolerations to Helm chart #5549 @KrustyHack
feat(helm): allow injecting env from parent projects #5677 @slonka
feat(helm): use object instead of list for plugins.policies #5735 @michaelbeaumont
feat(kuma-cp): add possibility to run diagnostics on TLS #5344 @mmorel-35
feat(kuma-cp): added configuration of plugins and its order #5472 @lukidzi
feat(kuma-cp): intOrString as decimal in the API #5768 @jakubdyszkiewicz
feat(kuma-cp): intercp communication protocol #5445 #5492 @jakubdyszkiewicz
feat(kuma-cp): recover from watchdog panics #5581 @jakubdyszkiewicz
feat(kuma-cp): remove value of secret when logging Secret Resources #5384 @Automaat
feat(kumactl): added option to install transparent proxy with docker #5284 @lukidzi
feat(policy): allow merging by a complex key #5650 @michaelbeaumont
feat(policy): append policy slices #5515 @jakubdyszkiewicz
feat(policy): don’t use protobuf for DataSource in policies #5668 #5756 @Automaat
feat(policy): implement MeshCircuitBreaker policy #5454 #5493 #5651 @bartsmykla,@lobkovilya
feat(policy): implement MeshFaultInjection policy #5723 #5773 @lukidzi
feat(policy): implement MeshHTTPRoute policy #5530 #5625 #5653 #5746 @michaelbeaumont,@slonka
feat(policy): implement MeshHealthCheck policy #5369 #5415 #5503 #5654 #5713 #5722 @lahabana,@lobkovilya,@michaelbeaumont,@slonka
feat(policy): implement MeshProxyPatch policy #5578 #5604 @jakubdyszkiewicz
feat(policy): implement MeshRateLimit policy #5362 #5463 #5710 #5742 @lobkovilya,@lukidzi
feat(policy): implement MeshRetry policy #5478 #5522 #5583 #5749 #5808 @lobkovilya,@slonka
feat(policy): implement MeshTimeout policy #5294 #5364 #5568 @Automaat,@michaelbeaumont
feat(policy): improve rules api #5785 @lahabana
feat(policy): validate schema only during the user’s input unmarshal #5566 @lobkovilya
feat(security): add dependabot security updates to release branches #5731 #5734 #5758 #5767 #5778 #5783 @slonka
fix(MeshAccessLog): update API to align with the memo #5580 @lobkovilya
fix(MeshGateway): properly apply Service template annotations to existing Service #5674 @michaelbeaumont
fix(MeshTrace): adjust MeshTrace to follow the memo #5743 @lobkovilya
fix(api-server): fix tags filter value with : #5339 @lahabana
fix(api-server): remove spec from inspect policy output #5491 @lahabana
fix(api-server): return 400 on invalid resource name #5719 @lahabana
fix(gateway): be more lenient with prefix paths trailing slashes #5299 @michaelbeaumont
fix(gui): add version and basedOnKuma to index.html #5448 @lahabana
fix(kuma-cp): add option to disable sslsni in universal #5318 @michaelbeaumont
fix(kuma-cp): allow to set policies order from others projects #5535 @lukidzi
fix(kuma-cp): change way of setting if resource is read only #5345 @lukidzi
fix(kuma-cp): concurrent mesh cache map write #5282 @michaelbeaumont
fix(kuma-cp): don’t cache filtered data #5574 @lukidzi
fix(kuma-cp): filtering of name prefix on K8S #5517 @jakubdyszkiewicz
fix(kuma-cp): fix appending of pointer to slice in policies config #5784 @Automaat
fix(kuma-cp): fix kafka_type tag creation regex #5507 @Automaat
fix(kuma-cp): fixed error when logging ExternalServiceResourceList and MeshResourceList #5423 @Automaat
fix(kuma-cp): forward envoy admin operations to proper instance #5466 @jakubdyszkiewicz
fix(kuma-cp): increase kuma-init memory limit when using ebpf #5579 @lukidzi
fix(kuma-cp): kds deadlock #5373 @jakubdyszkiewicz
fix(kuma-cp): make validate list aware of the mesh #5280 @slonka
fix(kuma-cp): memory store keeps children after owner update #5372 @jakubdyszkiewicz
fix(kuma-cp): only put policies in MeshInsight #5577 @lahabana
fix(kuma-cp): retrieve name from owner not parsing pod name for Deployments/CronJob #5569 @lukidzi
fix(kuma-cp): use sni to verify upstream certificate san when specified instead of address #5347 @jamesdbloom
fix(kuma-cp): warn when using deprecated token id #5520 @lahabana
fix(kuma-dp): allow to configure address of application to scrape #5326 @lukidzi
fix(kuma-dp): tolerate endline in token file #5591 @lahabana
fix(kumactl): remove PodSecurityPolicy from install observability #5382 @michaelbeaumont
fix(kumactl): set klog to avoid logs from k8s #5590 @lahabana
fix(kumactl): use the same client in kumactl apply #5327 @lahabana
fix(policy): change percentage field from int to intOrString #5810 @lukidzi
fix(policy): fix schema.yaml to have correct metadata #5349 @lahabana
fix(policy): make targetRef required #5593 @AyushSenapati
fix(policy): remove superfluous var usage #5627 @AyushSenapati
fix(policy): use GatewayAPI style header modifier in all policies #5757 @lahabana
fix(policy): use PascalCase for all constants #5747 @lahabana
fix(universal): don’t set sslsni option if not disabled (backport #5419) #5439 @mergify
fix(xds): don’t read metadata in ProxyBuilders #5414 @lahabana
fix(xds): sort resources when building MeshContext #5391 @lobkovilya

2.0.2

Released on 2023/02/15

Built on top of Kuma 2.0.2

Upgraded the Helm library version.
Upgraded the Go version to 1.18.9.
Fixed data caching. This bug might have caused certificates to regenerate.
Upgraded CoreDNS.

Includes kumahq/kuma@2.0.2 changelog

chore(deps): bump helm.sh/helm/v3 from 3.8.1 to 3.10.3 #5597 @mergify
chore(deps): update coreDNS to 1.10.0 (backport #5626) #5655 @mergify
chore: remove Apache license header from generated files (backport #5565) #5616 @mergify
chore: upgrade golang to 1.18.9 (backport #5607) #5609 @mergify
fix(kuma-cp): don’t cache filtered data (backport #5574) #5632 @mergify

2.0.1

Released on 2023/02/15

Built on top of Kuma 2.0.1

Fixed potential logging of secrets in kuma-cp.
Fixed KDS instability.
Fixed unnecessary CDS updates.
Fixed a bug where the OPA Agent stops returning valid decisions after KM CP crashes.

Includes kumahq/kuma@2.0.1 changelog

chore: back-ports api base path fix #5341 @kleinfreund
feat(kuma-cp): remove value of secret when logging Secret Resources (backport #5384) #5392 @mergify
fix(kuma-cp): add option to disable sslsni in universal (backport #5318) #5322 @mergify
fix(kuma-cp): change way of setting if resource is read only (backport #5345) #5348 @mergify
fix(kuma-cp): kds deadlock (backport #5373) #5397 @mergify
fix(kuma-cp): use sni to verify upstream certificate san when specified along with address (backport #5347) #5378 @mergify
fix(xds): don’t read metadata in ProxyBuilders (backport #5414) #5416 @mergify
fix: sort resources when building MeshContext (backport #5391) #5409 @mergify

2.0.0

Released on 2023/02/15

Built on top of Kuma 2.0.0

Amazon ECS

You can now configure the sidecar to authenticate using the IAM role of the ECS task it’s running as instead of using a data plane token. The control plane interprets the tags on the role similar to how it interprets the data plane token. This simplifies the deployment and management of Kong Mesh on ECS.

For more information, see Kong Mesh on Amazon ECS.

Includes kumahq/kuma@2.0.0 changelog

chore(.github): remove old release workflow #4836 @lobkovilya
chore(api): remove DENY_WITH_SHADOW_ALLOW #5220 @lobkovilya
chore(api): remove unused method and types #5148 @lobkovilya
chore(api): remove unused timestamp.proto import #4906 @michaelbeaumont
chore(api): skip Compute when building inbound access logs #5181 @jakubdyszkiewicz
chore(bootstrap): improve validator policy bootstrap #5014 @lahabana
chore(deps): bump actions/setup-go from 2 to 3 #5024 @dependabot
chore(deps): bump cirello.io/pglock from 1.9.0 to 1.10.0 #5239 @dependabot
chore(deps): bump github.com/Masterminds/sprig to 3.2.2 #5190 @mmorel-35
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.7 to 0.6.13 #5023 #5067 #5131 @dependabot
chore(deps): bump github.com/google/go-cmp from 0.5.8 to 0.5.9 #4996 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.40.20 to 0.40.24 #4969 #4993 #5162 @dependabot
chore(deps): bump github.com/kumahq/kuma-net from 0.8.1 to 0.8.2 #5188 @dependabot
chore(deps): bump github.com/lib/pq from 1.10.6 to 1.10.7 #4995 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.4.0 #4939 #4949 #5021 #5145 #5204 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.20.0 to 1.23.0 #4933 #4970 #5133 #5146 #5240 @dependabot
chore(deps): bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 #5203 @dependabot
chore(deps): bump github.com/prometheus/prometheus from 0.37.0 to 0.39.1 #4887 #5134 @dependabot
chore(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.1 #5155 #5241 @dependabot
chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 #4994 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 #5020 #5205 @dependabot
chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 #4930 @dependabot
chore(deps): bump golang.org/x/text from 0.3.7 to 0.4.0 #5147 #5163 @dependabot
chore(deps): bump google.golang.org/grpc from 1.48.0 to 1.50.1 #4927 #5132 #5156 @dependabot
chore(deps): bump k8s.io dependencies from 0.24.3 to 0.25.3 #4934 #5026 #5153 @michaelbeaumont
chore(deps): bump k8s.io/client-go from 0.25.1 to 0.25.2 #5062 @dependabot
chore(deps): bump kumahq/kuma-gui to f3dba73d4c264b094b6b351a8b44f2d5a0dc4ecb #4842 #4925 #5092 #5106 #5109 #5139 #5141 #5167 #5179 #5197 #5214 #5232 #5234 #5248 #5251 @kleinfreund,@kumahq
chore(deps): bump sigs.k8s.io/controller-runtime from 0.12.3 to 0.13.0 #4968 @dependabot
chore(deps): bump sigs.k8s.io/controller-tools from 0.9.2 to 0.10.0 #5059 @dependabot
chore(deps): update kuma-grafana-datasource #4856 @bartsmykla
chore(gateway): remove invalid options for MeshGatewayRoute #4890 @michaelbeaumont
chore(gui): removes update/gui command #4954 @kleinfreund
chore(helm): remove unused critical-pod annotation #4952 @michaelbeaumont
chore(helm): switch merbridge image registry to upstream #4838 @bartsmykla
chore(kuma-cp): adjust timeout in cp probes #4983 @jakubdyszkiewicz
chore(kuma-cp): config cleanup #4855 @jakubdyszkiewicz
chore(kuma-cp): improve logging in K8S controllers #4982 @jakubdyszkiewicz
chore(kuma-cp): improve test xds client #4976 @jakubdyszkiewicz
chore(kuma-cp): remove disabling metrics from kuma-cp.defaults #4894 @lahabana
chore(kuma-cp): resource manager wrapper #5057 @jakubdyszkiewicz
chore(kuma-init): use iptables-legacy in kuma-init #5040 @bartsmykla
chore(pkg/gc): don’t rely on core.Now var for time #4918 @lahabana
chore(plugins): remove some unecessary interfaces and methods #4997 @lahabana
chore(proto): remove protos for new policies #5218 @lobkovilya
chore(test): added resource builder #5123 #5195 @jakubdyszkiewicz
chore(test): added support for GRPC to test-server #4904 @lobkovilya
chore(test): make unit test compatible with IPV6 host #5198 @jakubdyszkiewicz
chore(xds): drop deprecated envoy.config.route.v3.HeaderMatcher.exact_match #4953 @michaelbeaumont
docs(MADR): new tracing policy proposal #4938 @michaelbeaumont
docs(MADR): update MADR 007 #5129 @lobkovilya
docs(gateway): explain the semantics of a PREFIX match #5013 @michaelbeaumont
docs(gateway): explain the semantics of a prefix rewrite to / #5016 @michaelbeaumont
docs(proto): fixed default serviceAddress and upgrade docs #5236 @lukidzi
docs(proto): rewrite dataplane proto docs #5219 @jakubdyszkiewicz
feat(ebpf): CNI uses libbpf CO:RE #5233 @lukidzi
feat(ebpf): refactor merbridge using libbpf with CO:RE #5034 @bartsmykla
feat(ebpf): transparent proxy with eBPF in init containers #4919 #5046 #5066 #5095 @bartsmykla
feat(gateway): add MeshGateway support to MeshAccessLog #5101 @michaelbeaumont
feat(gateway): add crossMesh to MeshGatewayConfig #5183 @michaelbeaumont
feat(gateway): add service-upstream annotation for delegated nginx #4913 @michaelbeaumont
feat(gateway): install kuma GatewayClass if gateway API CRDs present #5001 @michaelbeaumont
feat(gateway): match new policies to MeshGateways #5110 @michaelbeaumont
feat(inspect): implement rule-based view for new policies #5000 #5184 #5189 #5202 @jakubdyszkiewicz,@lobkovilya
feat(kuma-cp): add flag to disable taint controller #4852 @jakubdyszkiewicz
feat(kuma-cp): add possibility to restrict TLS version and ciphers #5186 @lahabana
feat(kuma-cp): add possibility to run MADS on TLS #5210 @lahabana
feat(kuma-cp): add possibility to split datadog services based on traffic direction and destination #5063 @Automaat
feat(kuma-cp): added validation for backend name #5081 @Automaat
feat(kuma-cp): created default control plane user #5064 @jakubdyszkiewicz
feat(kuma-cp): extensible token issuers #5083 @jakubdyszkiewicz
feat(kuma-cp): move Mesh Cache to runtime #5140 @Automaat
feat(kuma-cp): universal resources schema validation #5107 @slonka
feat(kuma-cp): use zone token to auth zone ingress #5103 @jakubdyszkiewicz
feat(kuma-dp): publish metrics with text_readouts from envoy #5159 @Automaat
feat(kumactl): add option to install with experimental transparent proxy #4958 @michaelbeaumont
feat(kumactl): use exclude ports for uids from kuma-net #4975 @slonka
feat(policy): Add MeshAccessLog policy #4908 #4998 #5035 #5168 #5177 @michaelbeaumont,@slonka
feat(policy): Add MeshTrace policy #5069 #5085 #5243 @michaelbeaumont,@slonka
feat(policy): Add MeshTrafficPermission policy #4835 #5009 #5075 @lobkovilya
feat(policy): add interfaces for policy plugins #4909 @lahabana
feat(policy): reimplemented matching for new policies #4780 #4950 #4957 #4977 #5068 #5084 #5166 #5172 #5174 @lahabana,@lobkovilya
feat(service-insights): add external service in api #5119 @lahabana
fix(.github): links in PR template #4905 @michaelbeaumont
fix(.github): use github app in pr-comment action #5164 @lahabana
fix(api): nil dereference in MeshAccessLog configurer #5258 @lobkovilya
fix(cni): add empty registry to experimental cni #4847 @slonka
fix(cni): hook up log level to cni #4849 @slonka
fix(cni): make cni logs available via kubectl logs #4845 @slonka
fix(cni): retry loading images #4860 @slonka
fix(docs): fixed location of developer tools in DEVELOPER.md docs #4988 @Automaat
fix(gateway): add support for retryOn #5091 @lahabana
fix(gateway): cross-mesh gateways with same service #5247 @michaelbeaumont
fix(gateway): don’t create invalid envoy config when routes and listeners don’t match #4837 @michaelbeaumont
fix(gateway): route URL prefix rewriting #5006 @michaelbeaumont
fix(gateway): skip ExternalService if none match #5207 @michaelbeaumont
fix(gateway): sort routes #5007 @michaelbeaumont
fix(gatewayapi): don’t NPE if the GatewayClass ref doesn’t exist #5187 @michaelbeaumont
fix(gatewayapi): reconcile Gateways and HTTPRoutes on ReferenceGrant changes #4944 @michaelbeaumont
fix(gatewayapi): update gateway-api and fix failing RouteKind tests #5175 @michaelbeaumont
fix(helm): customize location of kuma-init repository for ebpf cleanup #5230 @lukidzi
fix(helm): use podAnnotations everywhere possible #4991 @lahabana
fix(kuma-cp): collapsed grafana dashboards #4839 @jakubdyszkiewicz
fix(kuma-cp): deep copy tags when gen. outbounds #5070 @bartsmykla
fix(kuma-cp): disable statsForAllMethods in grpc stats #5226 @jakubdyszkiewicz
fix(kuma-cp): do not override source address when TP is not enabled #4951 @lukidzi
fix(kuma-cp): multiple external services pointing to same address #5185 @slonka
fix(kuma-cp): override grafana plugin files by default #5208 @slonka
fix(kuma-cp): reissue admin tls cert on dp address change #5222 @jakubdyszkiewicz
fix(kuma-cp): remove Dataplane for Pod without IP #4964 @jakubdyszkiewicz
fix(kuma-cp): return content type of inspect endpoints #4965 @jakubdyszkiewicz
fix(kuma-dp): resilient TCP access log streamer #4862 @jakubdyszkiewicz
fix(kumactl): get APIVersions from k8s server #5182 @michaelbeaumont
fix(tools): add ‘v’ prefix to preview version format #5004 @michaelbeaumont
fix(tools): support both GitHub app tokens and PATs #4869 @michaelbeaumont
perf(kuma-cp): avoid rebuilding endpoint map #4974 @jakubdyszkiewicz
refactor(kuma-dp): add xds authentication customization #4990 @michaelbeaumont

1.9.3

Released on 2023/02/15

Built on top of Kuma 1.8.3

Upgraded the Helm library version.
Upgraded the Go version to 1.18.9.
Fixed data caching. This bug might have caused certificates to regenerate.
Upgraded CoreDNS.

1.9.2

Released on 2023/02/15

Built on top of Kuma 1.8.2

Fixed potential logging of secrets in kuma-cp.
Fixed KDS instability.
Fixed unnecessary CDS updates.
Fixed a bug where the OPA Agent stops returning valid decisions after KM CP crashes.

1.9.1

Released on 2023/02/15

Built on top of Kuma 1.8.1

Gateway: Added support for retryOn in retry policies.
Added support for evicted Pods.
Added support for wildcard tag value match in RBAC.
Prevents a potential data race by creating a deep copy of tags when generating outbounds.

1.9.0

Released on 2023/02/15

Add “replace” function to CommonName template in CAs which support it (ACMPCA, cert-manager, Vault).
Fix ZoneControlPlane token generation by setting access type to RBAC in the generated default.
Improve RBAC logic by checking both old and new spec on updates.
Add configuration option for RBAC validation result logging.
Add cert-manager.io CA manager.

1.8.5

Released on 2023/02/15

Built on top of Kuma 1.7.4

Upgraded the Helm library version.
Upgraded the Go version to 1.18.9.
Fixed data caching. This bug might have caused certificates to regenerate.
Upgraded CoreDNS.

Includes kumahq/kuma@1.8.5 changelog

chore(deps): bump coredns from 1.10.0 to 1.10.1 #6239 @mergify
chore(deps): bump gorestful and jwt #6203 @lahabana
chore(deps): security update #6059 #6396 #6468 @kumahq
chore(deps): upgrade envoy to v1.22.10 (backport #6483) #6485 @mergify
fix(kuma-cni): ipv6 iptables with provided gateway and CNI V2 (backport #6374) #6378 @mergify

1.8.4

Released on 2023/02/15

Built on top of Kuma 1.7.3

Fixed potential logging of secrets in kuma-cp.
Fixed KDS instability.
Fixed unnecessary CDS updates.
Fixed a bug where the OPA Agent stops returning valid decisions after KM CP crashes.

Includes kumahq/kuma@1.8.4 changelog

chore(deps): bump Envoy from 1.22.2 to 1.22.7 #5987 @mergify
chore(deps): security update #5763 #5963 @kumahq
fix(tproxy): fix disabling ipv6 for tproxy (backport #5923) #5955 @mergify

1.8.3

Released on 2023/02/15

Built on top of Kuma 1.7.2

Added support for evicted Pods.
Prevents a potential data race by creating a deep copy of tags when generating outbounds.

Includes kumahq/kuma@1.8.3 changelog

chore(deps): bump helm.sh/helm/v3 from 3.8.1 to 3.10.3 #5598 @mergify
chore(deps): update coreDNS to 1.10.0 (backport #5626) #5656 @mergify
chore: remove Apache license header from generated files (backport #5565) #5617 @mergify
chore: upgrade golang to 1.18.9 (backport #5607) #5610 @mergify
fix(kuma-cp): don’t cache filtered data (backport #5574) #5633 @mergify

1.8.2

Released on 2023/02/15

Built on top of Kuma 1.7.1

Fix RBAC: all tags specified in when section are required in policies.
Fix RBAC: * value in tag specified in when section means that the tag is required, but can have any value.

Includes kumahq/kuma@1.8.2 changelog

feat(kuma-cp): remove value of secret when logging Secret Resources (backport #5384) #5393 @mergify
fix(kuma-cp): kds deadlock (backport #5373) #5398 @mergify
fix: sort resources when building MeshContext (backport #5391) #5410 @mergify

1.8.1

Released on 2023/02/15

Built on top of Kuma 1.7.1

Check both old and new spec on Update

Includes kumahq/kuma@1.8.1 changelog

fix(tools): support both GitHub app tokens and PATs (backport #4869) by @mergify in https://github.com/kumahq/kuma/pull/4872
fix(kuma-cp): remove Dataplane for Pod without IP (backport #4964) by @mergify in https://github.com/kumahq/kuma/pull/4980
fix(*): do not override source address when TP is not enabled (backport #4951) by @mergify in https://github.com/kumahq/kuma/pull/4961
fix(kuma-cp): deep copy tags when gen. outbounds (backport #5070) by @mergify in https://github.com/kumahq/kuma/pull/5071
fix(gateway): add support for retryOn (backport #5091) by @mergify in https://github.com/kumahq/kuma/pull/5098

1.8.0

Released on 2023/02/15

New Features:

Support for arm64
Graceful shutdown of OPA
Role-based AWS authentication for Vault
Added a Vault AWS authentication option to set the server ID header

Dependency upgrades:

Bump github.com/aws/aws-sdk-go from 1.40.56 to 1.44.21
Bump github.com/hashicorp/go-retryablehttp from 0.6.6 to 0.7.1
Bump github.com/open-policy-agent/opa from 0.38.1 to 0.40.0
Bump github.com/open-policy-agent/opa-envoy-plugin from 0.38.1-envoy-3 to 0.40.0-envoy
Bump k8s.io/api from 0.23.6 to 0.24.1
Bump k8s.io/apimachinery from 0.23.6 to 0.24.1
Bump sigs.k8s.io/controller-runtime from 0.11.2 to 0.12.1

Includes kumahq/kuma@1.8.0 changelog

New features:

CNI v2 with lots of improvements:

taint controller to prevent race condition #4650 @slonka
all logs are easily accessible via kubectl logs command which greatly simplifies observability #4845 @slonka
it uses new transparent engine implemented in kuma-net #4481 @slonka

URL rewrite in Builtin Gateway:

support URL rewriting #4638 @michaelbeaumont

Stats and Clusters in the GUI:

execute stats and clusters from the control plane #4557 #333 @jakubdyszkiewicz

Extra retryOn options for Retry:

add extra http retryOn options #4744 @johnharris85

Better support for TCP logging:

resilient tcp TCP access log streamer #4511 @parkanzky #4862 @jakubdyszkiewicz

Filtering Envoy metrics:

added option to define filter for Envoy metrics #4503 @lukidzi

Projected service account token:

support for projected service account token #4453 @lukidzi

Fixes:

Helm:

remove duplicate keys in resources #4681 @michaelbeaumont
add containersecuritycontext to CNI daemonset #4677 @jakubdyszkiewicz
fix extraConfigMap and cp labels #4531 @lahabana
use image.global.registry for imageExperimental #4641 @jakubdyszkiewicz

Gateway:

ListenerReason for unresolved certificate refs, enable ReferenceGrant conformance tests #4806 @michaelbeaumont
check hostname intersection between HTTPRoute and Gateway listener #4537 @michaelbeaumont
create MeshGatewayInstance in same Mesh as Gateway #4794 @michaelbeaumont
don’t create invalid envoy config when routes and listeners don’t match (backport #4837) #4841 @mergify
hostname intersections, use new RouteReasons #4544 @michaelbeaumont
improve HTTPRoute statuses with unresolved BackendRefs #4635 @michaelbeaumont
npe without any timeout #4548 @michaelbeaumont
rbac permissions for ReferenceGrant #4628 @michaelbeaumont
workaround label value max length with hash #4545 @michaelbeaumont

Control Plane:

check if kuma annotation or label is set but ignore value #4731 @lukidzi
delete an empty TimeoutConfigurer #4554 @lobkovilya
do not modify external service tags #4591 @jakubdyszkiewicz
don’t deploy Pod/Service webhooks in global #4673 @michaelbeaumont
don’t fail generation if other mesh CAs are misconfigured #4501 @michaelbeaumont
external service datasource validation #4652 @jakubdyszkiewicz
fix builtdns annotations for kubernetes #4660 @lahabana
generate cluster name hash based on tags not config #4598 @lukidzi
grant delete Pods in kuma-system namespace to control plane #4571 @michaelbeaumont
localhost exposed application shouldn’t be reachable #4750 @lukidzi
make options for policies simpler #4722 @lahabana
protect sort from empty locality #4820 @jakubdyszkiewicz
registering dp on reconnect #4647 @jakubdyszkiewicz
support GC service account #4483 @lobkovilya
validate both old and new objects on Update #4589 @michaelbeaumont
validation error with user tokens #4507 @jakubdyszkiewicz

Data Plane:

access log path on windows when cp is on linux #4518 @jakubdyszkiewicz
fix multi OS build of accesslogs #4767 @lahabana
have envoy version check always work #4564 @lahabana
propagate context for metrics aggregate #4640 @lukidzi
set prometheus content-type when returning metrics #4706 @lukidzi

Other:

add operations now create non-existent path elements #4595 @michaelbeaumont

Docs:

new policy matching proposal #4474 @lobkovilya

Other changes:

Gateway:

mention mesh name in gateway instance status #4678 @lahabana
add listener connection limits #4755 @michaelbeaumont
add loadBalancerIP to MeshGatewayInstance #4519 @michaelbeaumont
allow MeshGateway Dataplane Pods to bind privileged ports #4535 @michaelbeaumont
configure overload_manager based on max memory #4694 @michaelbeaumont
multi-zone cross-mesh MeshGateway #4443 @michaelbeaumont
propagate x-kuma-tags from MeshGateways #4476 @michaelbeaumont
send default static payload for empty gateway #4617 @tharun208
set path_with_escaped_slashes_action #4719 @michaelbeaumont
set cluster HTTP2 stream and connection window size #4779 @michaelbeaumont
set cluster per_connection_buffer_limit_bytes #4696 @michaelbeaumont
set global_downstream_max_connections to 50000 #4724 @michaelbeaumont
update to Gateway API v0.5.0, support v1beta1 resources #4599 @michaelbeaumont
validate listeners for collapsibility #4765 @michaelbeaumont
add MeshGateway dashboard #4555 @michaelbeaumont

Control Plane:

config cleanup (backport #4855) #4857 @mergify
don’t set deprecated dns_resolver_config #4702 @michaelbeaumont
don’t set deprecated known_suffixes #4701 @michaelbeaumont
remove deprecated Cluster.Http2ProtocolOptions #4528 @michaelbeaumont
remove versions_ws #4512 @lahabana
replace deprecated admin_access_log_path #4552 @lahabana
add /policies endpoint to list all registered policies #4708 @lahabana
authenticate DP every time #4685 @jakubdyszkiewicz
enrich policies endpoint #4791 @jakubdyszkiewicz
identify gateway service by deployment #4703 @parkanzky
separate CA for Envoy Admin communication #4676 @jakubdyszkiewicz
use remote address for Gateway #4530 @jakubdyszkiewicz
add operations now create non-existent path elements #4595 @michaelbeaumont

Data Plane:

remove envoy admin port flag #4574 @tharun208
detect memory limit only on linux #4715 @jakubdyszkiewicz

kumactl:

add a limit to the prom TSDB size #4651 @lahabana
remove old flags in install tp #4760 @lahabana
add MeshGateway to install demo #4679 @michaelbeaumont
add install control-plane –registry flag #4533 @michaelbeaumont

Documentation:

create MADR for MeshTrafficPermission #4666 @lobkovilya
new policy matching proposal #4474 @lobkovilya
policy matching, replace ‘conf’ with ‘default’ #4693 @lobkovilya

CNI:

add cni ebpf plugin #4810 @bartsmykla
implement the cni plugin #4481 @slonka #4618 @slonka #4613 @slonka #4850 @mergify #4642 @slonka #4788 @slonka #4858 @mergify #4826 @slonka #4695 @slonka #4846 @mergify
taint controller #4852 @jakubdyszkiewicz
use our cni with calico #4801 @slonka

Dependency updates:

update demo to latest version #4572 @lahabana
update Kuma GUI #4815 @kleinfreund #4723 @lahabana
use github.com/emicklei/go-restful/v3 #4665 @mmorel-35
bump alpine from 3.16.0 to 3.16.2 in /tools/releases/dockerfiles #4670 #4827 @dependabot
bump github.com/containerd/cgroups from 1.0.3 to 1.0.4 #4717 @dependabot
bump github.com/containernetworking/cni from 0.8.1 to 1.1.2 #4632 #4716 @dependabot
bump github.com/golang-jwt/jwt/v4 from 4.4.1 to 4.4.2 #4499 @dependabot
bump github.com/golang-migrate/migrate/v4 from 4.15.0 to 4.15.2 #4672 @dependabot
bump github.com/gruntwork-io/terratest from 0.40.15 to 0.40.20 #4469 #4480 @dependabot
bump github.com/miekg/dns from 1.1.49 to 1.1.50 #4492 @dependabot
bump github.com/onsi/gomega from 1.19.0 to 1.20.0 #4671 @dependabot
bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 #4783 @dependabot
bump github.com/prometheus/common from 0.34.0 to 0.37.0 #4489 #4627 @dependabot
bump github.com/spf13/cobra from 1.4.0 to 1.5.0 #4491 @dependabot
bump go.uber.org/zap from 1.21.0 to 1.22.0 #4829 @dependabot
bump google.golang.org/grpc from 1.47.0 to 1.48.0 #4631 @dependabot
bump google.golang.org/protobuf from 1.28.0 to 1.28.1 #4718 @dependabot
bump k8s.io/apiextensions-apiserver from 0.24.0 to 0.24.3 #4493 #4624 @dependabot
bump sigs.k8s.io/controller-runtime from 0.12.1 to 0.12.3 #4498 #4581 @dependabot
bump sigs.k8s.io/controller-tools from 0.9.0 to 0.9.2 #4549 @dependabot

1.7.6

Released on 2023/02/15

Built on top of Kuma 1.6.4

Upgraded the Helm library version.
Upgraded the Go version to 1.18.9.
Fixed data caching. This bug might have caused certificates to regenerate.
Upgraded CoreDNS.

Includes kumahq/kuma@1.7.6 changelog

chore(deps): bump coredns from 1.10.0 to 1.10.1 #6240 @mergify
chore(deps): bump gorestful and jwt (backport #6203) #6212 @mergify
chore(deps): security update #6058 #6394 #6469 @kumahq
chore(deps): upgrade envoy to v1.22.10 (backport #6483) #6486 @mergify

1.7.5

Released on 2023/02/15

Built on top of Kuma 1.6.3

Fixed potential logging of secrets in kuma-cp.
Fixed KDS instability.
Fixed unnecessary CDS updates.
Fixed a bug where the OPA Agent stops returning valid decisions after KM CP crashes.

Includes kumahq/kuma@1.7.5 changelog

chore(deps): bump Envoy from 1.22.2 to 1.22.7 #5988 @mergify
chore(deps): security update #5766 #5966 @kumahq

1.7.4

Released on 2023/02/15

Built on top of Kuma 1.6.2

Added support for evicted Pods.
Prevents a potential data race by creating a deep copy of tags when generating outbounds.

Includes kumahq/kuma@1.7.4 changelog

chore(deps): bump helm.sh/helm/v3 from 3.8.1 to 3.10.3 #5599 @mergify
chore(deps): update coreDNS to 1.10.0 (backport #5626) #5657 @mergify
chore(helm): remove duplicate keys in resources (backport #4681) #5640 @mergify
chore: remove Apache license header from generated files (backport #5565) #5618 @mergify
chore: upgrade golang to 1.18.9 (backport #5607) #5611 @mergify
fix(kuma-cp): don’t cache filtered data (backport #5574) #5634 @mergify

1.7.2

Released on 2023/02/15

Built on top of Kuma 1.6.1

Check both old and new spec on Update

Includes kumahq/kuma@1.7.2 changelog

fix(helm): always run Helm version update by @michaelbeaumont in https://github.com/kumahq/kuma/pull/4604
chore(helm): update to 1.7.1 by @michaelbeaumont in https://github.com/kumahq/kuma/pull/4603
Revert “fix(helm): always run Helm version update (#4604)” by @michaelbeaumont in https://github.com/kumahq/kuma/pull/4609
fix(kuma-cp): deep copy tags when gen. outbounds (backport #5070) by @mergify in https://github.com/kumahq/kuma/pull/5072
fix(kuma-cp): remove Dataplane for Pod without IP (backport #4964) by @mergify in https://github.com/kumahq/kuma/pull/5096

1.7.1

Released on 2023/02/15

Built on top of Kuma 1.6.1

Allow graceful shutdown of OPA

Includes kumahq/kuma@1.7.1 changelog

Fixes

Gateway

Nil pinter exception without any timeout (#4550)
Use remote address for Gateway (#4538)

kumactl

Update demo to latest version (#4587)

Control plane

Grant delete Pods in kuma-system namespace to control plane (#4575)
Don’t fail generation if other mesh CAs are misconfigured (#4517)
Don’t override timeout values for ExternalServices (#4568)

Data plane proxy

Access log path on windows when cp is on linux (#4518)

Helm

Fix extraConfigMap and cp labels (#4541)

General

Avoid -<arch> in version of the binaries (#4527)

1.7.0

Released on 2023/02/15

New Features:

Add support for AWS Certificate Manager Private CA
Inspect API support for Open Policy Agent
Add license values to Mesh reports

Dependency upgrades:

Bump github.com/aws/aws-sdk-go from 1.40.56 to 1.43.29
Bump github.com/hashicorp/vault/api from 1.3.1 to 1.5.0
Bump github.com/open-policy-agent/opa from 0.37.1 to 0.38.1
Bump github.com/open-policy-agent/opa-envoy-plugin from 0.37.1-envoy to 0.38.1-envoy-3

Includes kumahq/kuma@1.7.0 changelog

New features:

Cross Mesh Communication:

add cross-mesh MeshGateway listeners #4274 #4405 @michaelbeaumont

ContainerPatch:

allow custom configuration of Kubernetes’ kuma-init and kuma-sidecar containers by introducing ContainerPatch CRD #4280 #4362 / #4366 #4369 / #4370 @parkanzky, @bartsmykla

Observability:

hijack application metrics to enable scraping metrics from mTLSed applications without prometheus in the mesh #4286 #4388/#4406 @lukidzi
unified installation of metrics/logging/tracing into one command observability #4308 #4411/#4418 @lukidzi, @lahabana

ARM64 support:

added arm build and release pipeline #4231 @lukidzi
release for arm64 now publish correct arch image #4276 @lukidzi
upgrade kubectl to version with ARM support #4180 @lukidzi
support ARM Linux/Darwin for dev/tools #4199 @lukidzi
introduced map of arch for a specific build #4321 @lukidzi
do not exclude arm64 files from docker #4265 @lukidzi

Gateway:

add GatewayClass.Spec.ParametersRef support #4157 @michaelbeaumont
cp annotations from gateway to svc #4327 @johnharris85
only reconcile Gateway when GatewayClass is Ready #4162 @michaelbeaumont
auto generate hostname for crossMesh listeners #4421/#4424 @michaelbeaumont

Helm:

set host network var in helm/cp-deployment.yaml #4209 @SallyBlichWalkMe
add resource management for jobs #4254 @gdasson
option for automountSAT=false on cp #4309 @gdasson
helm chart improvements #4337 @bartsmykla

CP:

experimental transparent proxy annotation #4240 @parkanzky
graceful shutdown on Universal using HDS #4246 @jakubdyszkiewicz
intercept signal for different platforms #4283 @jakubdyszkiewicz
XDS config dump on Global CP #4301 @jakubdyszkiewicz
validate DP compat on kuma backend #4236 @parkanzky

DP:

graceful shutdown of kuma-dp #4229 @jakubdyszkiewicz

Fixes:

Gateway:

use MeshGatewayInstance mesh annotation when matching #4361/#4371 @michaelbeaumont

Helm:

remove replica from cp-deployment.yaml when autoscaling enabled #4447/#4454 @gustoliv

CP:

fix ‘/config_dump’ request if Global CP is on Kubernetes #4363/#4372 @lobkovilya
add the latest version to compatibility matrix #4232 @parkanzky

DP:

clarify error log message when kuma-dp is wrongly connecting to global-cp #4269 @slonka

Kumactl:

fix transparent proxy –skip-conntrack-zone-split flag value #4334 @bartsmykla

Other notable changes:

Gateway:

add /finalizers permission for OwnerReferencesPermissionEnforcement plugin #4239 @michaelbeaumont
don’t match on ALPN in gateway (#4198) #4272 @wjrbetts

Helm:

delete ‘kubernetes.io/arch’ node selector #4335 @lobkovilya

CP:

don’t always recompute mesh contexts #4267 @michaelbeaumont
don’t run dataplane gc in global #4184 @lahabana
graceful components #4277 @jakubdyszkiewicz
memory store cannot delete a parent #4194 @jakubdyszkiewicz
protocol check should be case-insensitive #4248 @lukidzi
remove dns server from control plane #4192 @lahabana
automatically detect dns lookup family for cp cluster #4275 @slonka

ZoneIngress:

graceful start of many ZoneIngresses #4305 @jakubdyszkiewicz

ZoneEgress:

resolve zone-ingress advertized address #4219 @lahabana
do not change ip to ZoneEgress address #4193 @lukidzi

Kumactl:

remove flag ‘–experimental-meshgateway’ #4315 @lobkovilya

Timeout Policy:

deprecate ‘timeout.grpc’ section #4365/#4449 @lobkovilya

Other:

delete dns-server 5653 port from configuration and helm files #4339/#4345 @lobkovilya
support kube-linter tools to analyze Kubernetes YAML files #4294 @mangoGoForward

Dependency upgrades:

upgrade envoy to 1.22.1 #4288 #4464/#4465 @lobkovilya
upgrade kuma-cni to 0.0.10 #4313 @lobkovilya
upgrade tproxy iptables to v0.2.2 #4328 @bartsmykla
upgrade GUI to the latest version #4316 #4338 #4389/#4390 @jakubdyszkiewicz, @lahabana, @bartsmykla
upgrade protoc and regenerate files #4169 @lukidzi
bump github.com/golang-migrate/migrate/v4 from 4.15.1 to 4.15.2 #4234 @dependabot
bump github.com/gruntwork-io/terratest from 0.40.6 to 0.40.10 #4178 #4260 #4322 @dependabot
bump github.com/lib/pq from 1.10.5 to 1.10.6 #4299 @dependabot
bump github.com/miekg/dns from 1.1.48 to 1.1.49 #4291 @dependabot
bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4 #4233 @dependabot
bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 #4290 @dependabot
bump github.com/prometheus/common from 0.33.0 to 0.34.0 #4235 @dependabot
bump github.com/spf13/viper from 1.10.0 to 1.11.0 #4177 @dependabot
bump google.golang.org/grpc from 1.45.0 to 1.46.2 #4213 #4289 @dependabot
bump k8s.io/apiextensions-apiserver from 0.23.5 to 0.24.0 #4216 @dependabot #4302/#4378
bump sigs.k8s.io/controller-runtime from 0.11.2 to 0.12.1 #4302/#4378 @dependabot

Other:

automate policy generation #4197 @lobkovilya

1.6.4

Released on 2023/02/15

Built on top of Kuma 1.5.4

Upgraded the Helm library version.
Upgraded the Go version to 1.18.9.
Fixed data caching. This bug might have caused certificates to regenerate.
Upgraded CoreDNS.

Includes kumahq/kuma@1.6.4 changelog

chore(deps): bump helm.sh/helm/v3 from 3.8.1 to 3.10.3 #5601 @mergify
chore(deps): update coreDNS to 1.10.0 (backport #5626) #5658 @mergify
chore(helm): remove duplicate keys in resources (backport #4681) #5641 @mergify
chore: remove Apache license header from generated files (backport #5565) #5620 @mergify
chore: upgrade golang to 1.18.9 (backport #5607) #5612 @mergify
fix(kuma-cp): don’t cache filtered data (backport #5574) #5635 @mergify

1.6.3

Released on 2023/02/15

Built on top of Kuma 1.5.3

Fixed potential logging of secrets in kuma-cp.
Fixed KDS instability.
Fixed unnecessary CDS updates.

1.6.1

Released on 2023/02/15

Built on top of Kuma 1.5.1

Remove the old JWT library
Make the Open Policy Agent timeout configurable

Dependency upgrades:

Bump github.com/open-policy-agent/opa from 0.37.2 to 0.38.1

Includes kumahq/kuma@1.6.1 changelog

Fixes:

CP:

do not change ip to ZoneEgress address (backport #4193) #4195
memory store cannot delete a parent (backport #4194) #4196

Dependency upgrades:

upgrade envoy to 1.21.3 #4457 @lobkovilya

1.6.0

Released on 2023/02/15

Built on top of Kuma 1.5.0

UBI images support.
ECS EC2 and Fargate first party support.
Update OPA agent to v0.37.2.

Includes kumahq/kuma@1.6.0 changelog

New features:

Gateway:

release K8s GatewayAPI as preview 4072 4022 4045 4014 3956 @jakubdyszkiewicz,@michaelbeaumont
use MeshGatewayInstance name for generated objects 4097 @michaelbeaumont

Inspect api:

add gateways to policy inspect 4125 4104 4092 4088 4077 4064 4065 3973 3966 @michaelbeaumont

ZoneEgress:

Make zoneegress available in standalone mode 4100 @lahabana
added locality aware lb for external service 4048 @lukidzi
make zoneegress routing opt-in 4109 4013 @lukidzi
support RateLimit and FaultInjections 4000 @lobkovilya

Helm:

Allow customization of image tags in Helm chart 4068 @gdasson
Expose kuma-cp’s metric port so it can be scraped by self-deployed prometheus. 4047 @jbehrends
add resource limits option for control plane deployment 4049 @gdasson
fail if global.image.tag and appVersion incompatible 4085 @michaelbeaumont
set version to track appVersion 4083 @michaelbeaumont
expose kuma-cp gui through ingress 4101 @lukidzi
allow specifying security context 4153 @gdasson @bartsmykla

Other:

feat(k8s): ability to set custom service account token volume 4036 @johnharris85
feat(k8s): shutdown kuma-dp container for any owner kind 4079 @lukidzi
feat(k8s): support startupProbes 4090 @lahabana
feat(kuma-cp): add uptime, policies, gateway dps to reports 3933 @parkanzky
feat(kuma-cp): add metrics and timeouts to CA interface 4089 @parkanzky
feat(kumactl): add –values and –set to kumactl install control-plane 4086 @lahabana
feat(transparent-proxy): add experimental tproxy iptables generation 4114 @bartsmykla

Dependency upgrades:

bump alpine from 3.15.0 to 3.15.2 in /tools/releases/dockerfiles 4060 4023 @dependabot
bump github.com/envoyproxy/protoc-gen-validate from 0.6.3 to 0.6.7 3978 3976 @dependabot
bump github.com/go-logr/logr from 1.2.2 to 1.2.3 4040 @dependabot
bump github.com/golang-jwt/jwt/v4 from 4.3.0 to 4.4.1 4061 4025 @dependabot
bump github.com/k8s/* from 0.23.4 to 0.23.5 4043 @lahabana
bump github.com/miekg/dns from 1.1.46 to 1.1.47 3998 @dependabot
bump github.com/onsi/gomega from 1.18.1 to 1.19.0 4062 @dependabot
bump github.com/spf13/cobra from 1.3.0 to 1.4.0 3995 @dependabot
bump go.uber.org/multierr from 1.7.0 to 1.8.0 3974 @dependabot
bump google.golang.org/grpc from 1.44.0 to 1.45.0 3993 @dependabot
bump google.golang.org/protobuf from 1.27.1 to 1.28.0 4046 @dependabot
bump helm.sh/helm/v3 from 3.8.0 to 3.8.1 3994 @dependabot
bump sigs.k8s.io/gateway-api from 0.4.1 to 0.4.2 3997 @dependabot
remove dependency on spire 4044 @lahabana

Other notable changes:

chore(k8s): replace cni registry 4070 @lobkovilya
chore(k8s): use appProtocol from service by default 4015 @jakubdyszkiewicz
chore(kuma-dp): cleanup bootstrap version field 3670 @tharun208
fix(gateway): fix status updating in MeshGatewayInstance reconciliation 4051 @michaelbeaumont
fix(gateway): gateway instance service reconciliation loops forever 4035 @jakubdyszkiewicz
fix(gateway): gateway reconciliation loops forever 4034 @jakubdyszkiewicz
fix(gateway): gateway tls listeners without hostnames 4093 @jakubdyszkiewicz
fix(gateway): ignore non TCP protocol for provided gateway 4067 @lahabana
fix(gateway): mesh gateway instance service target port 4071 @jakubdyszkiewicz
fix(gateway): skip creating MeshGateways without proper attachment 4011 @jakubdyszkiewicz
fix(helm): add prefix to app label in ingress/egress deployment 4123 @lahabana
fix(helm): fix other template prefix in ingress/egress 4124 @lahabana
fix(helm): remove wildcard rbac version 4148 @johnharris85
fix(k8s): reconcile serviceMaps when using mesh namespace annotation 3815 @lahabana
fix(kuma-cp): avoid generating excessive envoy clusters 3984 @lobkovilya
fix(kuma-cp): default policy creation 4073 @lobkovilya
fix(kuma-cp): guard the nil version in metadata 3969 @jakubdyszkiewicz
fix(kuma-cp): provide better message when running with an in-memory database 3982 @lukidzi
fix(kuma-dp): better error message when the token is invalid 3961 @lahabana
fix(kumactl): add mesh flag to only commands that uses it 3788 @tharun208
fix(kumactl): split yaml correctly in kumactl apply 4107 @lahabana
fix(proxytemplate): avoid validation error 3937 @marcoferrer
fix(proxytemplate): execute hooks before proxy template modifications 4055 @jakubdyszkiewicz
perf(k8s): move outbounds from Dataplane to Config 3986 @jakubdyszkiewicz

1.5.1

Released on 2023/02/15

Built on top of Kuma 1.4.1

Default role-based access control (RBAC) for zone control planes is now restricted to the admin role.
Performance continues to be significantly improved.
Authentication tokens are now more secure.

Includes kumahq/kuma@1.5.1 changelog

chore(k8s): replace cni registry (backport #4070) 4076
fix(kuma-cp): default policy creation (backport #4073) 4080
fix(kuma-cp): guard the nil version in metadata (backport #3969) 3970

1.5.0

Released on 2023/02/15

Built on top of Kuma 1.4.0

Role-based Access Control (RBAC) is now available.
Support for Windows installation on Universal (VMs) is now available.
Renewable tokens in Vault are now supported.

Includes kumahq/kuma@1.5.0 changelog

feat(*): zone egress #3809 #3757
feat(kuma-cp) data plane proxy membership #3619
feat(kuma-cp): reachable services in transparent proxying #3791
feat(inspect-api): retrieve full XDS config #3768
feat(*): inspect api support #3805 #3568 #3462
feat(kuma-cp): add proxytemplate to matched policies for inspect poli… #3786 👍contributed by @tharun208
feat(kuma-cp): enable traffic route for inspect endpoints #3735 👍contributed by @tharun208
feat(*): move adminPort to DPP resource #3739
feat(helm): add imagePullSecrets support #3755 👍contributed by @johnharris85
feat(*): enable Gateway with runtime flag #3736
feat(kumactl): add –api-timeout flag #3723
feat: allow for ca/identity secrets for every mesh #3696
feat(kuma-cp): allow extra cm in kuma cp chart #3671 👍contributed by @wjrbetts
feat(kuma-cp): add gui link in index api response #3675 👍contributed by @tharun208
feat(*): allow ca.crt to be in separate k8s secret #3638
feat(kumactl): add type of logging and tracing backends with name in table output #3636 👍contributed by @tharun208
feat(kuma-cp): enable client side gRPC keepalive #3574
feat(gui): new onboarding view kumahq/kuma-gui#194
feat(gui): link to documentation from policy view kumahq/kuma-gui#289
fix(kuma-cp): do not update unchanged insights #3819
fix(*): do not annotate gateway services with ingress upstream #3816
fix(*): properly escape DB password when creating postgres connection string #3804
fix(kuma-cp): fix missing label sidecar injection #3740
fix(kuma-dp): fix conntrack collisions #3459 👍contributed by @johnharris85
fix(conf): remove invalid health check fields from example #3697 👍contributed by @tharun208
fix(kuma-dp): binary lookup function skips not available directories #3667
fix(k8s): make sure controllers start after leader election #3666
fix(build): fix gomega matchers for inspect resources command test #3660 #3651 👍contributed by @tharun208
fix(kumactl): ignore any unregistered CRDs, not only from the root chart #3643
fix(kumactl): print meta before spec for Kuma resources #3637
fix(kuma-cp): add cp selector to global sync service #3579
fix(kuma-cp) do not override other dataplane with dp lifecycle #3507
fix(helm) Add support to customize nodeport #1944 👍contributed by @bhiravabhatla
perf(kuma-cp): use mesh snapshot in proxy builder #3700
perf(kuma-cp): use mesh snapshot in gateway #3710
perf(kuma-cp): share mesh context #3659
improvement(metadata): include name of annotation to parse error message #3677 👍contributed by @ChinYing-Li
refactor(insights): delete method GetLatestSubscription for insights #3656 👍contributed by @tharun208
refactor(kuma-cp): unify mesh determination for k8s objects #3708
refactor(*): replace ensureDefaultXXX functions with a single generic function #3662 👍contributed by @tharun208
chore(zone-ingress): delete deprecated env KUMA_DATAPLANE_ADMIN_PORT #3766
chore(k8s): remove GetBool method and use GetEnabled #3698 👍contributed by @tharun208
chore(*): generate CRD types #3453
chore(dataplane)!: disallow using 0.0.0.0 in networking.address for dp #3691
chore(kuma-cp): consolidate mesh defaults creation #3678
chore(config): remove ability to disable insights #3501
chore(*): remove old Ingress #3435
chore(*): upgrade Envoy to v1.21.1 #3909
chore(grafana): update to latest grafana plugin version #3812
ci(*): release on every commit in master and release branches #3712

1.4.1

Released on 2023/02/15

Built on top of Kuma 1.3.1

Common Name (CN) support for Vault certificate storage is now available.
You can now disable zones as needed.
The number of PostgreSQL connections is now limited to 50 by default. The default value was previously unlimited; you can still configure the limit if needed.
You can now select a specific zone in the Kuma Service dashboard and in the Service to Service dashboard.

Includes kumahq/kuma@1.4.1 changelog

feat: add kubernetes tags automatically #3439
perf: update Mesh and ServiceInsights only when really needed #3463
perf: eliminate uneccessary JSON marshalling #3483
feat: sidecar injection webhook based on labels #3417
chore: upgrade gui to new version #3454
test: fix postgress tests permissions #3443
feat: add affinity to CP and Ingress pods #3036 👍contributed by @andrey-dubnik
chore: bump github.com/golang-jwt/jwt/v4 from 4.1.0 to 4.2.0 #3432
feat: consolidate tokens logic to support expiration, rotation, revocation and RSA256 #3376
fix: simplify cluster creation with endpoints #3403
fix: enable metrics hijacker for current version of Kuma #3405
fix: switch to mTLS when CP communicates with Envoy Admin #3353
chore: bump github.com/spiffe/spire from 0.12.3 to 1.1.1 #3388
chore: bump github.com/spf13/viper from 1.8.1 to 1.9.0 #3389
fix: validate cp url in dp conf #3357
chore: send reports to tls endpoint #3361
chore: check explicit service account name #3228
feat: inspect other dependencies versions #3352
chore: add area/gateway label #3263
chore: remove dp token from xds metadata #3282
refactor: move from io/ioutil to io and os packages #3265 👍contributed by @Juneezee
fix: validate newly generated xDS snapshots #3195
chore: bump k8s.io/apiextensions-apiserver from 0.22.3 to 0.22.4 #3218
chore: bump helm chart version to 0.8 #3202

1.4.0

Released on 2023/02/15

Built on top of Kuma 1.3.0

You can now configure CA rotation in {{site.mesh_product_name}}.
A service map topology view is available that provides visualization of service traffic dependencies.
Support for mutual TLS in permissive mode is available, to support migrating applications into the service mesh.
You can now customize hostnames and ports for data plane proxies with a new virtual outbound policy.
You can more easily specify intermediate CAs with mTLS.

Includes kumahq/kuma@1.4.0 changelog

chore(*) scripts for build, publish and fetch Envoy binaries #3110 #3182
chore(kuma-cp) upgrade gui to new version #3178 #3179
chore(kuma-cp) Use go structs instead of gotemplate for bootstrap #3156 #3173
chore(deps): bump github.com/slok/go-http-metrics from 0.9.0 to 0.10.0 #3170
Disable reporting by default #3070 #3159
chore(kumactl) remove install CRDs filter function #3139
feat(kuma-dp) Add conf to disable service vip #3143
chore(kuma-cp) update some TODO comments #3141
feat(kuma-cp) Add kuma.io/ignore annotation #3142
fix(kuma-dp) match gateway cluster names in the hijacker #3106
feat: add ECDSA certificate generator support #3093
feat: add more global resources to GlobalInsights #3094
feat: allow creating secrets for the not yet existing mesh #3076 👍contributed by cloudwiz
feat: don’t add v6 in DNS when v6 is disabled #3089
fix: explicitly disable dns in env when disabled in injector #3077
feat: added support for https tracing endpoint #3057 👍contributed by sudeeptoroy
fix: normalize generating TLS certificates #3027
fix: zero downtime when enabling permissive mTLS #3019
feat: add deprecation notice for kuma-prometheus-sd #2994
feat: add GlobalInsights api endpoint #3018
fix: duplicate TLS certificate usage #3008
chore: add command argument count parameters #3010
feat: aggregate dp stats by type in MeshInsight #2999
chore: delete CLI flag ‘–bootstrap-version’ #2965
feat: show the effective Dataplane address #2977
feat: aggregate services in MeshInsight #2974
fix: allow only one healthcheck #2972
feat: give CA managers all backends at once #2956
chore: normalize timeout configurer API #2934
fix: locality-aware lb for external-services #2903
feat: add install control-plane –version flag for all components #2904
feat: add zone selector to Kuma Mesh dashboard #2860
fix: possible to delete resources on Zone CP #2665
fix: make cluster names contextually unique #3098
feat: automatically enable gzip content on gateways #3104
feat: add Gateway TLS termination support #3044
feat: add gateway support for external services #2990
fix: enable secrets support for Gateway resources #2953
feat: initial connection policy support for Gateway #2933
feat: add access to generate zone ingress token #3075
feat: user token with RSA256 #2992
feat: prefix system users and groups with mesh-system #3013
feat: localhost is not an admin on kubernetes #3003
feat: user token enabled by default #2941
feat: Admin User Token bootstrap #2923
chore: refactor access control for individual access #2983
feat: support plugin based authentication including user tokens #2895
feat: User Token for API Server authentication #2892
chore: refactor authz and authn to plugins #2837
chore(kuma-cp) upgrade gui to new version #3148
chore(*) upgrade to Go 1.17.3 #3147
chore(deps): bump github.com/operator-framework/operator-lib #3158
chore(deps): bump github.com/gruntwork-io/terratest #3130
chore: update helm and controller-runtime #2764
chore: bump github.com/lib/pq from 1.10.3 to 1.10.4 #3131
chore: bump google.golang.org/grpc from 1.41.0 to 1.42.0 #3101
chore: bump github.com/prometheus/common from 0.31.1 to 0.32.1 #3006
chore: bump github.com/envoyproxy/protoc-gen-validate #3007
chore: bump github.com/google/uuid from 1.2.0 to 1.3.0 #2839
chore: bump sigs.k8s.io/controller-runtime from 0.10.2 to 0.10.3 #3132
chore: bump k8s.io/client-go from 0.22.2 to 0.22.3 #3061
chore: bump k8s.io/apiextensions-apiserver from 0.22.2 to 0.22.3 #3059
chore: bump k8s.io/api from 0.22.2 to 0.22.3 #3058
chore: bump github.com/golang-migrate/migrate/v4 #2970
chore: bump helm.sh/helm/v3 from 3.6.1 to 3.7.1 #2968
chore: bump github.com/miekg/dns from 1.0.14 to 1.1.43 in /pkg/transparentproxy/istio #2752

1.3.4

Released on 2023/02/15

Built on top of Kuma 1.2.3

Moved to a Kuma fork of go-control-plane that fixes a Goroutine leak

1.3.3

Released on 2023/02/15

Built on top of Kuma 1.2.3

kumactl now always warns when the client and server versions cannot be confirmed to match.
The data plane proxy type is now checked for a valid value (one of ingress or dataplane).
Improvements to the control plane.

1.3.2

Released on 2023/02/15

Built on top of Kuma 1.2.2

Datadog is now available as a traffic tracing option.
Message limit for gRPC stream is increased to better support Kuma discovery service (KDS)
Improved leader election during unexpected failures.
Improved SDS and XDS on rapid DP restarts.
Fixed HDS on the dataplane server when bootstrapping an ingress.

1.3.1

Released on 2023/02/15

Built on top of Kuma 1.2.1

(Kuma) The data plane proxy now provides an advertised address to the control plane for communication in cases where the address is not directly reachable.
(Kuma) An SNI header is now added when TLS is enabled, to permit communication with external services that require it.
(Kong Mesh only) New parameters pki and role are available for Vault.
(Kong Mesh only) The CNI config name is now always prefixed with kuma-cni.
(Kong Mesh only) TTL is no longer validated for Vault.

Includes kumahq/kuma@1.3.1 changelog

fix: disable zone #2884
fix: limit number of postgres connection by default #2866
feat: add zone selector to Kuma Service to Service dashboard #2876
feat: add zone selector to Kuma Service dashboard #2865
feat: add zone selector to Kuma Dataplane dashboard #2864
fix: fix duplicates in dataplane list in Kuma Services dashboard #2845
chore: migrate install resources from rbac API v1beta1 to v1 #2875
fix: fault injection matching #2757
fix: delete kuma.io/region and kuma.io/sub-zone #2824
feat: print control plane version with version cmd #2834
fix: Only warn about version compatibility where it makes sense #2828
perf: remove insight update rate limit burst #2825
perf: apply ratelimit to service insights #2815
feat: adds support for specifying specific IP for cloud provider load balancers for ingress service #2779 👍contributed by @jamesdbloom
fix: send tool output to stdout #2787
fix: switch to a Kuma fork of go-control-plane #2771
chore: parametrize label on the deployment #2765
perf: set Node only on first DiscoveryRequest #2741
feat: verify ServiceAccountToken bound to a Pod #2745
feat: internal dns should resolve AAAA records #2760
fix: Add FORMERR and NOTIMP in alternate default coredns conf #2756
fix: virtual probes with query #2706
fix: Avoid calling Send() from different goroutines #2573
feat: automatically set proxy concurrency #2691
feat: Improve builtin grafana setup to have traces and logs linked #2716
fix: Show gateway services in service-insights #2711
fix: Correct bad merging of duration #2700
fix: Ensure outbounds are set when migrating from old to new #2698
fix: get rid of regex for parsing IPs #2681
feat: add CP config to ZoneInsights #2661
feat: generate GatewayRoute clusters #2819
feat: add GatewayRoute route generation #2782
feat: match gateway routes #2758
feat: initial gateway TrafficRoute support #2547
feat: add a GatewayRoute resource #2591
chore: update base image for kuma-dp #2881
chore: change Go JWT version to fix security vunerability #2844
chore: bump go.uber.org/zap from 1.17.0 to 1.19.1 #2768
chore: bump google.golang.org/grpc from 1.38.0 to 1.40.0 #2737
chore: bump github.com/miekg/dns from 1.1.42 to 1.1.43 #2769
chore: upgrade github.com/spf13/cobra #2732
chore: bump alpine in /tools/releases/dockerfiles #2705
chore: bump github.com/onsi/gomega from 1.13.0 to 1.16.0 #2657
chore: update envoy to 1.18.4 #2667

1.3.0

Released on 2023/02/15

Built on top of Kuma 1.2.0

New L7 Traffic Routing policy to route and modify HTTP traffic per path, method, header, or any other combination, with support for regex. Traffic can be modified before reaching the final destination.
New Rate-Limit policy to protect services from aggressive traffic. This policy can protect from downtime and improve the overall reliability of your applications.
The “Remote” control plane is renamed to “Zone” control plane. This means the “Ingress” resource is renamed “ZoneIngress”. Thanks to community users for providing the feedback that drove this effort.
Traffic Permissions now work with external services.
Improved performance of our DNS resolution.
More improvements, including a fix for GCP/GKE’s erratic IPv6 support.
Updated to Envoy 1.18.3.

Includes kumahq/kuma@1.3.0 changelog

feat: remove provided ca cert validation #2663 👍contributed by Nikita Pande (@nikita15p)
feat: Use kuma-sd in kumactl install metrics #2654
feat: Add new datasource to kumactl install metrics #2640
fix: remove extra endline in traffic log default template #2514
fix: TLSInspector is causing tcp healthcheck failures #2639
feat: Add rate-limit to outbound interfaces #2435
fix: print a newline with transparent proxy setup message #2634
chore: bump alpine in /tools/releases/dockerfiles #2531
chore: annotate required fields in proto files #2556
chore: remove MADS v1alpha1 #2632
chore: parametrize kuma tracing in ZipkinCollectorURL #2635
chore: Add the number of services to usage stats #2628
feat: Add the permissive mTLS mode #2579
chore: open CAProvider and MeshValidator for extensions #2618
feat: Add entity for virtual-outbound #2576
fix: Don’t set zap.Development() in debug log #2608
chore(kuma-cp) upgrade gui to new version #2611, #2452, #2554, #2528, #2497, #2490, #2481
feat: Build kuma on Windows #2597, #2606, #2559
feat: Add CA backend stats in Dataplane and Mesh Insights #2562
fix: missing key for kv in reports logging #2598
chore: split listener configurers across source files #2592
feat: add simple HTTP connection configurers #2593
feat: add virtual host domain name configurer #2590
feat: return instance and cluster IDs in kuma-cp API statuses #2589
tests: allow kuma-specific const to be overridden #2582
feat: Intermediate CA support #2575
fix: Avoid nil dereferencing in dp validator #2578
chore: consistently use utils package for protobuf wrappers #2570
fix: subscription finalizer, rev 2 #2526
tests: fix flaky test for locality aware loadbalancing #2564
fix: DP tracking lock consistency fix #2567
chore: Certificates over ADS #2558
chore: migrate DiscoveryRequest/Response in KDS to V3 #2541
feat: Rewrite dns persistence to allow virtual-outbound to be added #2484
fix: deleted default policy is created on Kuma CP restart #2507
chore: Move kumactl logging arguments to where they can be parameterized #2544
chore: add route and virtual host configuration helpers #2517
chore: fix kumactl generate dataplane proxy-type flag deprecation message #2522 👍contributed by Tharun Rajendran
chore: Simplify resource-gen.go by generating ResourceDescriptor #2511
chore: Replace netcat with test server #2510
feat: configure SNI on ExternalService #2467
chore: add importas to golangci-lint #2516 👍contributed by Tharun Rajendran
chore: add to resource-gen.go generation of kds options #2487
chore: add to resource-gen.go generation of kumactl options #2469
fix: add owner when create ZoneIngressInsight #2456
fix: hijacker merge labels #2476
chore: improve resource-gen by auto generating ws code #2466
fix: clarify invalid resource type message #2473
fix: implement TextMarshaler for JSON keys #2475
chore: simplify resourceWsDefinition and server init #2477
fix: Stop adding outbounds to dp for vips #2421
chore(*) make port validation consistent #2448

1.2.6

Released on 2023/02/15

Built on top of Kuma 1.1.6.

Intermediate Certificate Authorities (CAs) are now supported with Vault integration.
You can now specify any and all tags in a Traffic Permission policy for Vault integration.
You can now specify TCP and HTTP health checks at the same time in the same policy. The health check policy also now includes a reuse_connection option.
The --gateway flag is now available in the CLI.
You can now install an ingress controller with the CLI. {{site.base_gateway}} is the first supported ingress controller.
You can now install the Kuma demo application with the CLI.

1.2.5

Released on 2023/02/15

Built on top of Kuma 1.1.5.

⚠️ All installation scripts are updated to a new location because Bintray is shutting down. If you’ve written automation scripts that refer to the Bintray location, you need to update your scripts to point to the new location.
Transparent proxying is improved.
The GUI is improved.
The locality is now always set in a multi-zone deployment.

1.2.4

Released on 2023/02/15

Built on top of Kuma 1.1.4.

Includes important bug fixes to version 1.1.3 of Kuma, plus improvements to the web UI.

1.2.3

Released on 2023/02/15

Built on top of Kuma 1.1.3. Notably:

Built-in DNS provides support for specifying external services by original hostname and port

Includes kumahq/kuma@1.2.3 changelog

fix(kumactl) warn about fail to check the CP version #2438
fix(kuma-cp) handle missing connection info #2439
chore(xds) rename logger to have consistent naming style #2375 👍contributed by burntcarrot
fix(kuma-cp) set better keep-alive for bootstrap #2432
fix(kuma-dp) validate the DP proxy type #2186
fix(kuma-cp) use the typed config for TLS Inspector #2373

1.2.2

Released on 2023/02/15

Built on top of Kuma 1.1.2 with fixes and improvements. Features include:

19 new observability charts and golden metrics.
IPv6 support across the service mesh.
New threshold configuration in the Circuit Breaker policy.
Performance improvements, especially with external services.
Stability improvements to kuma-cp and DNS resolution.

Includes kumahq/kuma@1.2.2 changelog

feat: add datadog traffic tracing #2269
refactor: add kumactl install tracing context #2343
chore: improve kumactl install transparent-proxy flags description, add extra validation #2352
fix: broken SDS auth and XDS generation on rapid DP restarts #2342
fix: allow verbose log levels #2351
chore: use resource types for DataplaneInsight tracking #2324
chore: improve resource manager initialization readability #2316
chore: upgrade gui to new version #2340, #2325, #2315
fix: allocate a new VIP for ExternalService host #2302
fix: stop components on leader election lost #2318
chore: generate system resource wrappers #2282, #2311
chore: remove access log V2 #2301
chore: generate DeepCopy interfaces #2222
chore: disable log sampling #2273
chore: upgrade Protocol Buffers #2244
chore: change default number of insights subscriptions #2266
chore: make the authentication interface type oblivious #2271
fix: fix hds disabled on dpserver #2268 👍contributed by Bastien Chatelard
chore: refactor xDS metadata to store a generic resource #2264
feat: change KDS max message limit #2265

1.2.1

Released on 2023/02/15

Fix to include the OPA CRD in the deployment
Build on top of Kuma 1.1.1 with fixes and improvements

Includes kumahq/kuma@1.2.1 changelog

fix: Dataplane/ZoneIngress/Zone status problem when control plane forcefully exits #2246
chore: reduce memory usage by reducing cache key size #2214 #2230 👍contributed by nhamlh
fix: ZoneIngress always shows up as ‘offline’ #2209
feat: dataplane use advertise address to add a routable ip if address is not public ip #2116 👍contributed by sudeeptoroy
fix: builtin DNS resolve alias with dots #2208
feat: add SNI to TLSed ExternalServices #2211
fix: fix race condition in cache #2202 👍contributed by nhamlh
fix: supported versions of Kuma DP in the GUI #2193

1.2.0

Released on 2023/02/15

Added Open Policy Agent integration
Improved authentication support for control planes in multi-zone deployments, with the Kuma Discovery Protocol (KDS)
Added FIPS support to the data plane proxy sidecar
Added XDSv3 for control plane to data plane proxy communication
Build on top of Kuma 1.1.0 with fixes and improvements

Includes kumahq/kuma@1.2.0 changelog

feat: Introduce ZoneIngress #2147 #2169
feat: enable dataplane dns by default #2152
feat: add –verbose flag to kuma-init #2156
feat: log rotation #2100 👍contributed by @nikita15p
feat: mads, allow specifying fetch-timeout via query param #2148 👍contributed by @austince
feat: mads, add support for HTTP long polling #2121 👍contributed by @austince
feat(mads) implement v1 API #1753 👍contributed by @austince
feat: add RateLimit policy #2083
feat: TrafficRoute L7 #2013 #2042 #2062 #2072 #2168
feat: allow renegotiation for TLS in ExternalServices #2135
feat: pass header when communicating with CP #2049 👍contributed by sudeeptoroy
feat: change default traffic route policy #2075
feat: command to install kong enterprise ingress #1999
feat: add postgres max idle connections configuration #2020 👍contributed by @nikita15p
feat: add kumactl –no-config flag #2048
feat: nodeselector across all pods with HELM #2012
feat: enable forwarding XFCC header #1941 👍contributed by @jewertow
feat: TrafficPermission for ExternalServices #1957
feat: metrics hijacker #1899
feat: extend CircuitBreaker #1655
chore: remove API V2 #2119
chore: bump webhooks version #2126
chore: drop deprecated Envoy options #2143
chore: dockerfiles, add a user for kuma-cp #2129
chore: bump cni version to 0.0.9 #2137
chore: rename remote cp to zone cp #2125
chore: bump versions of logging, metrics, tracing #2178
chore: parametrize bitnami/kubectl #2151
chore: backwards compatible metrics #2173
chore: upgrade Envoy version to 1.18.3 #2145
chore updated go-control-plane #2082 👍contributed by @sudeeptoroy
chore: fix misspelled words #1984 👍contributed by @tharun208
chore: upgrade GUI #2157
chore namespace source names for v1 API #1896 👍contributed by @austince
chore: use cmux for MADS server #1887
chore: Add internal support for outbound UDP listeners #1618 👍contributed by @lahabana
chore: Avoid generating duplicate subsets in ingress 👍contributed by @lahabana
chore: upgrade to apiextensions.k8s.io/v1 #1108 👍contributed by @austince
fix: Clear snapshots from cache on disconnect #2172 👍contributed by @lahabana
fix: use service account name to identify sync #2127
fix: raise the regex program size limit #2139
fix: pass query parameters through the metrics hijacker #2124
fix: matching endpoints by tags #2096
fix: manage and warn on control plane file limits #2057 #2106
fix: fix transparent-proxy for GCP/GKE #2051
fix: set death signal on child processes #2045
fix: TrafficRoute in multizone issue #1979