This edge release introduces several changes around metrics. ReplicaS…

…ets are now

a supported resource and metrics can be associated with them. A new metric has
been added which counts proxy errors encountered before a protocol can be
detected. Finally, the request errors metric has been split into separate
inbound and outbound directions.

* Fixed printing `check --pre` command usage if it fails after being unable to
  connect to Kubernetes (thanks @rdileep13!)
* Updated the default skip and opaque ports to match that which is listed in the
  [documentation](https://linkerd.io/2.10/features/protocol-detection/#configuring-protocol-detection)
* Added the `LINKERD2_PROXY_INBOUND_PORTS` environment variable during proxy
  injection which will be used by ongoing policy changes
* Added client-go cache size metrics to the `diagnostics controller-metrics`
  command
* Added validation that the certificate provided by an external issuer is a CA
  (thanks @rumanzo!)
* Added metrics support for ReplicaSets
* Replaced the `request_errors_total` metric with two new metrics:
  `inbound_http_errors_total` and `outbound_http_errors_total`
* Introduced the `inbound_tcp_accept_errors_total` and
  `outbound_tcp_accept_errors_total` metrics which count proxy errors
  encountered before a protocol can be detected

This edge release focuses on dependency updates and has a couple of f…

…unctional

changes. First, the Dockerfile used to build the proxy has been updated to use
the default `distroless` image, rather than the non-root variant. This change
is safe because the proxy already runs as non-root within the container. Second,
the `ignoreInboundPorts` parameter has been added in the linkerd2-cni helm
charts in order to enable tap support.

* Updated several project dependencies
* Updated the Dockerfile-proxy to use the default distroless image, because
  the proxy already runs as non-root within the container
* Added `ignoreInboundPorts` parameter to the linkerd2-cni plugin helm chart

This edge release adds support for emitting Kubernetes events in the …

…identity

controller when issuing leaf certificates. The event includes the identity,
expiry date, and a hash of the certificate. Additionally, this release contains
many dependency updates for the control plane's components, and it includes a
fix for an issue with the clusterNetworks healthcheck.

* Updated the identity controller to emit Kubernetes events when successfully
  issuing leaf certificates to injected pods.
* Fixed an issue in `linkerd check` where the clusterNetworks healthcheck
  would fail if the `podCIDR` field is omitted from a node's spec.
* Removed unnecessary controller port-forward logic from the `bin/web` script.

Change notes for edge-21.6.4 (linkerd#6370)

## edge-21.6.4

This release contains a few improvements, from many contributors!  Also under
the hood, the destination service has received updates in preparation to the
upcoming support for StatefulSets across multicluster.

* Improved the `linkerd check --proxy` command to avoid hitting a timeout when
	dealing with large clusters
* Fixed the web component permissions in order to properly run the podCIDR check
	(thanks @aryan9600!)
* Avoid having the proxy-init container fail when the main container is
	configured to drop either the NET_RAW or NET_ADMIN capabilities (thanks
	@aryan9600!)
* Upgraded the proxy-init image to improve the output in "simulate" mode (thanks
	@liuerfire!) and to log to stdout instead of stderr (thanks @mo4islona!)
* Added test-coverage reports to PRs (thanks @akshitgrover!)

## edge-21.6.4

This release contains a few improvements, from many contributors!  Also under
the hood, the destination service has received updates in preparation to the
upcoming support for StatefulSets across multicluster.

* Improved the `linkerd check --proxy` command to avoid hitting a timeout when
  dealing with large clusters
* Fixed the web component permissions in order to properly run the podCIDR check
  (thanks @aryan9600!)
* Avoid having the proxy-init container fail when the main container is
  configured to drop either the NET_RAW or NET_ADMIN capabilities (thanks
  @aryan9600!)
* Upgraded the proxy-init image to improve the output in "simulate" mode (thanks
  @liuerfire!) and to log to stdout instead of stderr (thanks @mo4islona!)
* Added test-coverage reports to PRs (thanks @akshitgrover!)

This release moves the Linkerd proxy to a more minimal Docker base im…

…age,

adds a check for detecting certain network misconfigurations, and replaces
the deprecated OpenCensus collector with the OpenTelemetry collector in the
jaeger extension.

* Switched the Linkerd proxy's base docker image from Debian to a minimal
  distroless base image (thanks @tskinn!)
* Added a check to verify that Linkerd's clusterNetworks settings match the
  cluster's pod CIDR networks (thanks @aryan9600!)
* Replaced the deprecated OpenCensus collector with the OpenTelemetry
  collector in the jaeger extension (thanks @aatarasoff!)

This release fixes a problem with the HTTP body buffering that was added

to support gRPC retries. Now, only requests with a retry configuration
are buffered (and only when their bodies are less than 64KB).

Additionally, an issue with the outbound ingress-mode proxy where forwarded
HTTP clients could fail to detect when the target pod was deleted, causing
connections to retry forever has been fixed. This only impacted traffic
forwarded directly to pod IPs and not load balanced services.

Finally, this release also includes some fixes in the CLI and dashboard.

* Added a new check that verifies if the opaque ports annotation is
  misconfigured on services or pods (thanks @migue!)
* Added support for resource aware completion for core linkerd command
* Fixed an issue where `namespace` resource was erroneously being shown
  in the dashboard's topology graph
* Added uninstall command support for legacy extension installs
* Updated the proxy to only buffer request bodies when a request can be retried
* Updated the proxy to prevent buffering indefinitely on requests
  when endpoints are updated in ingress mode
* Fixed spelling mistakes across various files in the project
  (thanks @jsoref!)

This release adds support for retrying HTTP/2 requests with small (<6…

…4KB)

message bodies, allowing the proxy to properly buffer message bodies when
responses are classified as a failure. Documentation on how to configure
retries can be found [here](https://linkerd.io/2.10/tasks/configuring-retries/).

This release also modifies the proxy's identity subsystem to instantiate a
client on-demand so client connections are not retained continually. Also
included in this release are various bug fixes and improvements as well as
expanding support for resource-aware tab completion in the jaeger and
multicluster CLI extensions.

* Added support for specifying a `gateway-port` flag for the `multicluster link`
  command (thanks @psmit!)
* Added support for Kubernetes resource aware tab completion for `jaeger` and
  `multicluster` commands
* Fixed an issue where `viz`, `jaeger` and `multicluster` extensions could not
  be installed on `PodSecurityPolicy`-enabled clusters
* Fixed an issue where `linkerd check --proxy` could incorrectly report
  out-of-date proxy versions caused by incorrect regex (thanks @aryan9600!)
* Added support for the proxy to retry HTTP/2 requests with message bodies
  <= 64KB
* Modified the proxy's controller stack to create new client connections
  on-demand
* Fixed Viz's `uninstall` command to remove viz installations that used the
  legacy `linkerd.io/extension: linkerd-viz` label (thanks @jsoref!)
* Expanded the "linkerd-existence" health check to also check for the
  destination pod readiness

This edge release contains various improvements to the Viz and Jaeger…

… install

charts, along with bug fixes in the CLI, and destination. This release also
adds kubernetes aware autocompletion to all viz commands, along with
ServiceProfiles to be part of the default `viz install`.

Finally, the proxy has been updated to continue supporting requests without
`l5d-dst-override` in ingress-mode proxies, to no longer include query parameters
in the OpenCensus trace spans, and to prevent timeouts with controller clients
of components with more than one replica.

* Separated protocol hint setting from H2 upgrades in destination profile
  response, thus preventing `hint.OpaqueTransport` field from not being set when
  H2 upgrades are disabled
* Updated OpenCensus trace spans for HTTP requests to no longer include query
  parameters (thanks @aatarasoff!)
* Reverted [linkerd/linkerd2-proxy#992](linkerd/linkerd2-proxy#992)
  to support requests without `l5d-dst-override` in ingress-mode proxies
* Fixed an issue in the proxy to prevent timeouts with controller clients
  of components with more than one replica
* Fixed `linkerd check --proxy` failure with pods that are part of Jobs
* Updated `viz install` to also include ServiceProfiles of its components.
  As a side-effect, `linkerd diagnostics install-sp` cmd has been removed
* Added support for Kubernetes resource aware tab completion for all
  viz commands
* Updated destination to prefer `ServiceProfile.dstOverrides` over
  `TrafficSplit` when both are present for a service
* Added toggle flags for `collector` and `jaeger` components in the
  jaeger extension (thanks @tarvip!)
* Added support for setting `nodeselector`, `toleration` fields for components
  in the Viz extension (thanks @aatarasoff!)
* Fixed a templating issue in Viz, making `podAnnotations` field
  work with prometheus
* Updated Golang version to 1.16.4
* Removed unnecessary `--addon-overwrite` flag in `linkerd upgrade`

This edge release updates the proxy-init container to check whether t…

…he iptables

rules have already been added, which prevents errors if the proxy-init container
is restarted. Also, the `viz stat` command now has tab completion for Kubernetes
resources, saving you precious keystrokes! Finally, the proxy has been updated
with several fixes and improvements.

* Added instructions to `build.md` for using a locally built proxy
  (thanks @jroper!)
* Added support for Kubernetes resource aware tab completion to the `viz stat`
  command
* Updated `proxy-init` to skip configuring firewall if rules exists
* Fixed `viz uninstall` to delete all RBAC objects (thanks @aryan9600!)
* Improved diagnostics for rejected profile discovery
* Added the `l5d-client-id` header on mutually-authenticated inbound requests so
  that applications can discover the client's identity.
* Reduced proxy resource usage when there are no profiles
* Changed the admin server to assume all meshed connections are HTTP/2 and fail
  connections when that is not the case
* Updated the proxy to require the `l5d-dst-override` header on outbound
  requests when the proxy is in ingress-mode
* Removed support for TCP-forwarding in ingress-mode