2.2.0

We’re excited to announce the release of Kuma 2.2. This new minor release adds some long-awaited features, more incremental improvements to our UI and policies, and many more minor features and bug fixes.

In order to take advantage of the latest and greatest in service mesh, we strongly suggest [upgrading to Kuma 2.2]. Upgrading is easy through kumactl or Helm.

Notable features

Flexibility

OpenTelemetry support for tracing and access logging
Added the ability to define MeshProxyPatch policies using JSONPatch, allowing greater power and flexibility to customize underlying Envoy configuration
Multiple improvements and functionality added to the MeshHTTPRoute policy, including:
Cross-zone support
Request mirroring
Host header rewrites for the MeshGateway
Header matching

Support for retry predicates and priorities
Additional options for customizing the pods backing a MeshGatewayInstance deployment
Upgraded underlying Envoy version to 1.25
Various other bug fixes and quality-of-life improvements across the product

Scalability

New MeshLoadBalancing policy, enabling more granular control of load balancing configuration between services
Official support for deploying a Universal mode global control plane (Postgres-backed) to a Kubernetes cluster for better availability and resilience characteristics

Security

Ability to provide a public key for offline token signing and validation

Changelog

Modify helm.sh script to make sure no duplicate manifests will be present in packaged chart #6512 @bartsmykla
chore(deps): bump Envoy from 1.22.2 to 1.22.7 #5982 @lahabana
chore(deps): bump actions/setup-go from 3 to 4 #6311 @dependabot
chore(deps): bump cirello.io/pglock from 1.10.0 to 1.11.0 #6149 @dependabot
chore(deps): bump coredns from 1.10.0 to 1.10.1 #6227 @michaelbeaumont
chore(deps): bump github.com/cilium/ebpf from 0.9.1 to 0.10.0 #6152 @dependabot
chore(deps): bump github.com/containerd/cgroups from 1.0.4 to 1.1.0 #5878 @dependabot
chore(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 #6051 @dependabot
chore(deps): bump github.com/emicklei/go-restful/v3 from 3.10.1 to 3.10.2 #6261 @dependabot
chore(deps): bump github.com/envoyproxy/go-control-plane from 0.10.3 to 0.11.0 #5947 @dependabot
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.1 to 0.10.1 #6307 #6316 @dependabot
chore(deps): bump github.com/go-logr/logr from 1.2.3 to 1.2.4 #6454 @dependabot
chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.4.3 to 4.5.0 #6071 @dependabot
chore(deps): bump github.com/golang/protobuf from 1.5.2 to 1.5.3 #6263 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.41.9 to 0.41.15 #5924 #6076 #6258 @dependabot
chore(deps): bump github.com/miekg/dns from 1.1.50 to 1.1.53 #6150 #6262 #6453 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.7.0 to 2.9.2 #5928 #6043 #6074 #6172 #6208 #6260 #6355 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.25.0 to 1.27.6 #5874 #6072 #6167 #6259 #6271 #6353 #6450 @dependabot
chore(deps): bump github.com/prometheus/common from 0.39.0 to 0.42.0 #6073 #6273 @dependabot
chore(deps): bump github.com/prometheus/prometheus from 0.41.0 to 0.42.0 #5927 @dependabot
chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0 #6475 @dependabot
chore(deps): bump github.com/spiffe/go-spiffe from 0.0.0-20190820222348-6adcf1eecbcc to github.com/spiffe/go-spiffe/v2 #6151 @dependabot
chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.2 to 2.1.4 #6313 #6451 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.15.0 to 0.18.0 #6075 @dependabot
chore(deps): bump github.com/vishvananda/netns to 0.0.4 #6103 @mmorel-35
chore(deps): bump go from 1.18 to 1.20.2 #6179 #6279 @jakubdyszkiewicz,@lahabana
chore(deps): bump go.uber.org/multierr from 1.9.0 to 1.11.0 #6264 #6452 @dependabot
chore(deps): bump golang.org/x/net from 0.5.0 to 0.8.0 #6003 #6042 #6209 @dependabot
chore(deps): bump golang.org/x/sys from 0.4.0 to 0.7.0 #5948 #6476 @dependabot
chore(deps): bump golang.org/x/text from 0.6.0 to 0.8.0 #6004 #6211 @dependabot
chore(deps): bump google.golang.org/grpc from 1.52.0 to 1.54.0 #5877 #5946 #6354 @dependabot
chore(deps): bump google.golang.org/protobuf from 1.28.1 to 1.30.0 #6274 #6309 @dependabot
chore(deps): bump gopkg.in/natefinch/lumberjack.v2 from 2.0.0 to 2.2.1 #5949 @dependabot
chore(deps): bump helm.sh/helm/v3 from 3.11.0 to 3.11.2 #5962 #6265 @dependabot
chore(deps): bump k8s.io/apiextensions-apiserver from 0.26.1 to 0.26.3 #6168 #6318 @dependabot
chore(deps): bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 #6207 @dependabot
chore(deps): bump k8s.io/kubectl from 0.26.1 to 0.26.3 #6171 #6308 @dependabot
chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.1 to 0.14.6 #5875 #5926 #6210 #6455 @dependabot
chore(deps): bump sigs.k8s.io/controller-tools from 0.11.1 to 0.11.3 #5876 #5925 @dependabot
chore(deps): bump sigs.k8s.io/gateway-api from v0.5.1 to v0.6.0 #5559 @michaelbeaumont
chore(deps): bump tibdex/github-app-token from 1.7.0 to 1.8.0 #5879 @dependabot
chore(deps): remove dependency on github.com/prometheus/prometheus #6204 @lahabana
chore(deps): security update #6397 #6473 @kumahq
chore(deps): use latest kumahq/kuma-gui #5866 #5883 #5911 #5931 #5937 #5940 #5952 #5958 #6002 #6067 #6078 #6155 #6158 #6161 #6176 #6197 #6216 #6243 #6302 #6317 #6345 #6360 #6373 #6400 #6402 #6425 @kumahq
feat(GatewayAPI): support HTTPRoutePathRedirect #6437 @michaelbeaumont
feat(GatewayAPI): support ResponseHeaderModifier in HTTPRoute #6000 @michaelbeaumont
feat(GatewayAPI): update to v0.6.2 #6293 @michaelbeaumont
feat(MeshAccessLog): support OpenTelemetry #5999 @michaelbeaumont
feat(MeshGateway): auto host rewrite for gateway route #6328 @bartsmykla
feat(MeshGateway): support deployment customization for MeshGatewayInstance #6348 #6388 @johnharris85
feat(MeshHTTPRoute): add RequestMirror filter #6064 @lobkovilya
feat(MeshHTTPRoute): add header matching #5943 @michaelbeaumont
feat(MeshHTTPRoute): add path modifier to redirect #5918 @lobkovilya
feat(MeshHTTPRoute): cross-zone support #5984 @michaelbeaumont
feat(MeshProxyPatch): add json patch support #6281 @bartsmykla
feat(MeshRetry): add host selection predicates #6465 @johnharris85
feat(MeshTrace): add support for opentelemetry trace backend #5992 @frzifus
feat(api-server): manual mTLS #5979 @jakubdyszkiewicz
feat(api-server): whoami endpoint #6120 @jakubdyszkiewicz
feat(auth): separate authenticators for dp and zone proxy #5991 @jakubdyszkiewicz
feat(helm): add default CNI resources #6287 @michaelbeaumont
feat(helm): dynamic admission server port #6344 @d4kine
feat(helm): make egress resources configurable #6286 @dascole
feat(helm): make it possbile to install universal cp on k8s #5913 @slonka
feat(k8s): add a configuration option to list allowed service accounts #6505 @slonka
feat(k8s): add annotation prometheus.metrics.kuma.io/aggregate-application-address to scrape custom address on k8s #6289 @slonka
feat(k8s): set kubectl.kubernetes.io/default-container pod annotation #6055 @michaelbeaumont
feat(kds): allow running non-tls KDS server #6145 @slonka
feat(kds): delta KDS #6278 #6358 @lukidzi
feat(kds): enable nack backoff #5894 @jakubdyszkiewicz
feat(kuma-cp): allow Mesh default resources regeneration without deletion and restart #6223 @michaelbeaumont
feat(kuma-cp): init container first by default #5857 @zekth
feat(kumactl): generate public key command #5917 @jakubdyszkiewicz
feat(kumactl): remove ca-cert or skip-verify requirement #6140 @jakubdyszkiewicz
feat(persistence): change lib/pq to pgx #6257 @slonka
feat(persistence): create pgx store #6359 #6457 @slonka
feat(policies): extend policy matching API to work with egress and external services #6379 @lobkovilya
feat(policies): implement MeshLoadBalancingStrategy #6117 #6163 #6202 #6390 @lobkovilya
feat(tokens): allow kid to be a string #5944 @jakubdyszkiewicz
feat(tokens): issue tokens offline #5919 @jakubdyszkiewicz
feat(tokens): offline validation #6085 @jakubdyszkiewicz
feat(tproxy): make tproxy v2 and CNI v2 default #6083 @bartsmykla
fix(GatewayAPI): always set an explicit HTTPRoute Parents in status #6367 @michaelbeaumont
fix(GatewayAPI): correctly handle invalid backendRefs #6428 @michaelbeaumont
fix(MeshHTTPRoute): filter URLRewrite should be configured with ClusterSpecifier #5920 @lobkovilya
fix(MeshRetry): guard against multiple previous priorities #6496 @johnharris85
fix(MeshTimeout): apply MeshTimeout defaults when one of from or to section is missing #5902 @Automaat
fix(ca/builtin): be less verbose when creating CA secrets #6217 @michaelbeaumont
fix(docker): set SHELL to an existing binary #6192 @michaelbeaumont
fix(docker): use no ssl image #5560 @slonka
fix(helm): add appProtocol to services we create #6157 @lahabana
fix(helm): don’t include taint controller env when cni disabled #6148 @lukidzi
fix(helm): dont specify a default type for extraSecrets #5932 @wheelerlaw
fix(helm): make it possible to use custom CA in egress and ingress #5980 @lahabana
fix(helm): postgres client cert setup #6335 @slonka
fix(helm): remove universal on kubernetes env vars that are supposed to be provided via secrets #5938 @slonka
fix(helm): security contexts for ebpf cleanup hook #6235 @bartsmykla
fix(helm): set CP memory limits, by default equal to memory request, set CP CPU requests #6127 @michaelbeaumont
fix(helm): set migration container resources and securityContext #6255 @michaelbeaumont
fix(helm): set readOnlyRootFilesystem/runAsNonRoot, create a ServiceAccount in correct release namespace #6121 @michaelbeaumont
fix(helm): set readOnlyRootFilesystem/runAsUser/runAsGroup on ingress/egress deployments #6164 @michaelbeaumont
fix(helm): upgrade CRDs instead of installing missing CRDs #6403 @jakubdyszkiewicz
fix(helm): use emptyDir at /tmp with CP #6162 @michaelbeaumont
fix(kuma-cni): ipv6 iptables with provided gateway and CNI V2 #6374 @jakubdyszkiewicz
fix(kuma-cp): allow names of the resource to be longer and validate the length #6123 @lukidzi
fix(kuma-cp): change default value for KubeOutboundsAsVIPs #6057 @Automaat
fix(kuma-cp): change validation of resources synced to global #6178 @jakubdyszkiewicz
fix(kuma-cp): don’t let CA requests for other meshes block generation #6282 @michaelbeaumont
fix(kuma-cp): traffic split with internal and external service #5904 @lobkovilya
fix(kuma-cp): zone ingress mixes services with the same name in different meshes #6364 @lobkovilya
fix(kumactl): don’t check compatibility when talking to a preview version #6143 @lahabana
fix(policy): merging of policies results in not applying policy on some outbounds #6460 @jakubdyszkiewicz
fix(tproxy): allow disabling ipv6 for tproxy #5923 @bartsmykla