Buoyant Enterprise for Linkerd

enterprise-2.15.3

May 20, 2024

The 2.15.3 stable point release includes a variety of bug fixes, usability improvements, and new diagnostic and configuration features. It also adjusts the default configuration of the HAZL load balancer to be more aggressive in shifting load to other zones.

Previous release: enterprise-2.15.2.

Who should upgrade?

• Users who are using native sidecars should upgrade. This release contains several bugfixes related to native sidecars.
• Users who are making heavy use of HTTPRoutes, or who are experiencing high memory usage in the policy controller accompanied by “Failed to patch HTTPRoute” error messages, should upgrade. This release fixes an issue with how the policy controller was interacting with the Kubnetes API for HTTPRoutes.
• Users who are using multicluster should upgrade. This release fixes a panic in the service mirror controller as well as another minor issue.

How to upgrade

Please see the instructions in Upgrading BEL.

Note that in this release, we’ve moved the on-cluster storage for license keys from ConfigMaps to Secrets. Users with license keys in ConfigMaps will be automatically upgraded to a Secret. For more information on managing licenses, see Configuring license secret installation.

To upgrade with BEL’s lifecycle automation operator, you will need Buoyant Extension version v0.29.0 or later.

Full Changelog

CLI changes

• Print license information to stderr instead of stdout
• Install version edge-24.2.4 of viz and jaeger extensions, rather than pointing to non-existing BEL versions
• Remove the need to include the --set license= flag on install commands
• Add a diagnostics profile command (backported from linkerd2#12383)

Helm chart changes

• Correct the minimum supported Kubernetes version in the BEL Helm charts to 1.22 (not 1.21)
• Support arbitrary proxy parameters in Helm values (backported from linkerd2#12493)

Control plane changes

• Move license storage from a ConfigMap to a Secret
• Revert HAZL default load band parameters to the configuration used in BEL 2.15.1 and earlier, allowing HAZL to be more aggressive in shifting to other zones by default
• Update HTTPRoutes CRD to include a port field in the route status parent ref (backported from linkerd2#12454)
• Fix multiple issues with native sidecars (backported from linkerd2#12453)
• Update policy controller to rename “patchs” metric to “patches” (backported from linkerd2#12533)

Extension changes

• Fix panic in mulitcluster service mirror controller (backported from linkerd2#12406)
• Avoid unnecessary headless endpoint mirrors cleanups during GC (backported from linkerd2#12500)

Proxy changes

• Clear balancer endpoint gauges on teardown (backported from linkerd2-proxy#2928)
• Configure HTTP/2 server parameters (backported from linkerd2-proxy#2924)
• Configure HTTP/2 client overrides from discovery (backported from linkerd2-proxy#2937)

CVE remediations and updates

• Update Rust rustls dependency to remediate CVE-2024-32650 (first fixed in hotpatch enterprise-2.15.2-1)
• Update proxy base Docker image and proxy build base Docker image to remediate CVE-2024-2961 (first fixed in hotpatch enterprise-2.15.2-2)
• Update busybox in proxy-init Docker image to remediate CVE-2023-42366
• Update Go from 1.22.2 to 1.22.3