github.com/telepresenceio/telepresence/v2@v2.20.0-pro.6.0.20240517030216-236ea954e789/CHANGELOG.yml (about) 1 # The YAML in this file should contain: 2 # 3 # changelog: An (optional) URL to the CHANGELOG for the product. 4 # items: An array of releases with the following attributes: 5 # - version: The (optional) version number of the release, if applicable. 6 # - date: The date of the release in the format YYYY-MM-DD. 7 # - notes: An array of noteworthy changes included in the release, each having the following attributes: 8 # - type: The type of change, one of `bugfix`, `feature`, `security` or `change`. 9 # - title: A short title of the noteworthy change. 10 # - body: >- 11 # Two or three sentences describing the change and why it 12 # is noteworthy. This is HTML, not plain text or 13 # markdown. It is handy to use YAML's ">-" feature to 14 # allow line-wrapping. 15 # - image: >- 16 # The URL of an image that visually represents the 17 # noteworthy change. This path is relative to the 18 # `release-notes` directory; if this file is 19 # `FOO/releaseNotes.yml`, then the image paths are 20 # relative to `FOO/release-notes/`. 21 # - docs: The path to the documentation page where additional information can be found. 22 # - href: A path from the root to a resource on the getambassador website, takes precedence over a docs link. 23 # 24 # For older changes, see CHANGELOG.OLD.md 25 docTitle: Telepresence Release Notes 26 docDescription: >- 27 Release notes for Telepresence by Ambassador Labs, a CNCF project 28 that enables developers to iterate rapidly on Kubernetes 29 microservices by arming them with infinite-scale development 30 environments, access to instantaneous feedback loops, and highly 31 customizable development environments. 32 items: 33 - version: 2.19.0 34 date: (TBD) 35 notes: 36 - type: bugfix 37 title: Improve how the traffic-manager resolves DNS when no agent is installed. 38 body: >- 39 The traffic-manager is typically installed into a namespace different from the one that clients are 40 connected to. It's therefore important that the traffic-manager adds the client's namespace when 41 resolving single label names in situations where there are any agents to dispatch the DNS query to. 42 - type: change 43 title: Removal of ability import legacy artifact into Helm. 44 body: >- 45 A helm install would make attempts to find manually installed artifacts and make them managed by 46 Helm by adding the necessary labels and annotations. This was important when the Helm chart was first 47 introduced but is far less so today, and this legacy import was therefore removed. 48 - type: bugfix 49 title: Docker aliases deprecation caused failure to detect Kind cluster. 50 body: >- 51 The logic for detecting if a cluster is a local Kind cluster, and therefore needs some special attention when 52 using <code>telepresence connect --docker</code>, relied on the presence of <code>Aliases</code> in the Docker 53 network that a Kind cluster sets up. In Docker versions from 26 and up, this value is no longer used, but the 54 corresponding info can instead be found in the new <code>DNSNames</code> field. 55 docs: https://docs.docker.com/engine/deprecated/#container-short-id-in-network-aliases-field 56 - type: bugfix 57 title: Include svc as a top-level domain in the DNS resolver. 58 body: >- 59 It's not uncommon that use-cases involving Kafka or other middleware use FQNs that end with 60 "svc". The core-DNS resolver in Kubernetes can resolve such names. With this bugfix, 61 the Telepresence DNS resolver will also be able to resolve them, and thereby remove the need 62 to add ".svc" to the include-suffix list. 63 docs: https://github.com/telepresenceio/telepresence/issues/2814 64 - type: feature 65 title: Add ability to enable/disable the mutating webhook. 66 body: >- 67 A new Helm chart boolean value <code>agentInjector.enable</code> has been added that controls the agent-injector 68 service and its associated mutating webhook. If set to <code>false</code>, the service, the webhook, and the 69 secrets and certificates associated with it, will no longer be installed. 70 - type: feature 71 title: Add ability to mount a webhook secret. 72 body: >- 73 A new Helm chart value <code>agentInjector.certificate.accessMethod</code> which can be set to <code>watch</code> 74 (the default) or <code>mount</code> has been added. The <code>mount</code> setting is intended for clusters with 75 policies that prevent containers from doing a <code>get</code>, <code>list</code> or <code>watch</code> of a 76 <code>Secret</code>, but where a latency of up to 90 seconds is acceptable between the time the secret is 77 regenerated and the agent-injector picks it up. 78 - type: feature 79 title: Make it possible to specify ignored volume mounts using path prefix. 80 body: >- 81 Volume mounts like <code>/var/run/secrets/kubernetes.io</code> are not declared in the workload. Instead, they 82 are injected during pod-creation and their names are generated. It is nwo possible to ignore such mounts using a 83 matching path prefix. 84 - type: feature 85 title: Make the telemount Docker Volume plugin configurable 86 body: >- 87 A <code>telemount</code> object was added to the <code>intercept</code> object in <code>config.yml</code> 88 (or Helm value <code>client.intercept</code>), so that the automatic download and installation of this plugin can 89 be fully customised. 90 - type: feature 91 title: Add option to load the kubeconfig yaml from stdin during connect. 92 body: >- 93 This allows another process with a kubeconfig already loaded in memory 94 to directly pass it to <code>telepresence connect</code> without needing a separate 95 file. Simply use a dash "-" as the filename for the <code>--kubeconfig</code> flag. 96 - type: feature 97 title: Add ability to specify agent security context. 98 body: >- 99 A new Helm chart value <code>agent.securityContext</code> that will allow configuring the security context of 100 the injected traffic agent. The value can be set to a valid Kubernetes securityContext object, or can be set 101 to an empty value (<code>{}</code>) to ensure the agent has no defined security context. If no value is specified, 102 the traffic manager will set the agent's security context to the same as the first container's of the workload 103 being injected into. 104 - type: change 105 title: Tracing is no longer enabled by default. 106 body: >- 107 Tracing must now be enabled explicitly in order to use the <code>telepresence gather-traces</code> 108 command. 109 - type: change 110 title: Removal of timeouts that are no longer in use 111 body: >- 112 The <code>config.yml</code> values <code>timeouts.agentInstall</code> and <code>timeouts.apply</code> haven't 113 been in use since versions prior to 2.6.0, when the client was responsible for installing the traffic-agent. 114 These timeouts are now removed from the code-base, and a warning will be printed when attempts are made to use 115 them. 116 - type: bugfix 117 title: Search all private subnets to find one open for dnsServerSubnet 118 body: >- 119 This resolves a bug that did not test all subnets in a private range, sometimes resulting in the warning, 120 "DNS doesn't seem to work properly." 121 - version: 2.18.4 122 date: (TBD) 123 notes: 124 - type: bugfix 125 title: Docker aliases deprecation caused failure to detect Kind cluster. 126 body: >- 127 The logic for detecting if a cluster is a local Kind cluster, and therefore needs some special attention when 128 using <code>telepresence connect --docker</code>, relied on the presence of <code>Aliases</code> in the Docker 129 network that a Kind cluster sets up. In Docker versions from 26 and up, this value is no longer used, but the 130 corresponding info can instead be found in the new <code>DNSNames</code> field. 131 - version: 2.18.3 132 date: (TBD) 133 notes: 134 - type: bugfix 135 title: Creation of individual pods was blocked by the agent-injector webhook. 136 body: >- 137 An attempt to create a pod was blocked unless it was provided by a workload. Hence, commands like 138 <code>kubectl run -i busybox --rm --image=curlimages/curl --restart=Never -- curl echo-easy.default</code> 139 would be blocked from executing. 140 - version: 2.18.2 141 date: (TBD) 142 notes: 143 - type: bugfix 144 title: Fix panic due to root daemon not running. 145 body: >- 146 If a <code>telepresence connect</code> was made at a time when the root daemon was not running (an abnormal 147 condition) and a subsequent intercept was then made, a panic would occur when the port-forward to the agent 148 was set up. This is now fixed so that the initial <code>telepresence connect</code> is refused unless the root 149 daemon is running. 150 - version: 2.18.1 151 date: (TBD) 152 notes: 153 - type: bugfix 154 title: Get rid of telemount plugin stickiness 155 body: >- 156 The <code>datawire/telemount</code> that is automatically downloaded and installed, would never be 157 updated once the installation was made. Telepresence will now check for the latest release of the 158 plugin and cache the result of that check for 24 hours. If a new version arrives, it will be 159 installed and used. 160 - type: bugfix 161 title: Use route instead of address for CIDRs with masks that don't allow "via" 162 body: >- 163 A CIDR with a mask that leaves less than two bits (/31 or /32 for IPv4) 164 cannot be added as an address to the VIF, because such addresses must 165 have bits allowing a "via" IP. 166 167 The logic was modified to allow such CIDRs to become static routes, using the 168 VIF base address as their "via", rather than being VIF addresses in their own right. 169 - type: bugfix 170 title: Containerized daemon created cache files owned by root 171 body: >- 172 When using <code>telepresence connect --docker</code> to create a containerized daemon, that 173 daemon would sometimes create files in the cache that were owned by root, which then caused 174 problems when connecting without the <code>--docker</code> flag. 175 - type: bugfix 176 title: Remove large number of requests when traffic-manager is used in large clusters. 177 body: >- 178 The traffic-manager would make a very large number of API requests during cluster start-up 179 or when many services were changed for other reasons. The logic that did this was refactored 180 and the number of queries were significantly reduced. 181 - type: bugfix 182 title: Don't patch probes on replaced containers. 183 body: >- 184 A container that is being replaced by a <code>telepresence intercept --replace</code> 185 invocation will have no liveness-, readiness, nor startup-probes. Telepresence didn't 186 take this into consideration when injecting the traffic-agent, but now it will refrain 187 from patching symbolic port names of those probes. 188 - type: bugfix 189 title: Don't rely on context name when deciding if a kind cluster is used. 190 body: >- 191 The code that auto-patches the kubeconfig when connecting to a kind cluster from within 192 a docker container, relied on the context name starting with "kind-", but although all 193 contexts created by kind have that name, the user is still free to rename it or to create 194 other contexts using the same connection properties. The logic was therefore changed 195 to instead look for a loopback service address. 196 - version: 2.18.0 197 date: "2024-2-9" 198 notes: 199 - type: feature 200 title: Include the image for the traffic-agent in the output of the version and status commands. 201 body: >- 202 The version and status commands will now output the image that the traffic-agent will be using when injected 203 by the agent-injector. 204 - type: feature 205 title: Custom DNS using the client DNS resolver. 206 body: >- 207 <p>A new <code>telepresence connect --proxy-via CIDR=WORKLOAD</code> flag was introduced, allowing Telepresence 208 to translate DNS responses matching specific subnets into virtual IPs that are used locally. Those virtual IPs 209 are then routed (with reverse translation) via the pod's of a given workload. This makes it possible to handle 210 custom DNS servers that resolve domains into loopback IPs. The flag may also be used in cases where the 211 cluster's subnets are in conflict with the workstation's VPN.</p> 212 <p>The CIDR can also be a symbolic name that identifies a subnet or list of subnets:<table> 213 <tr><td><code>also</code></td><td>All subnets added with --also-proxy</td></tr> 214 <tr><td><code>service</code></td><td>The cluster's service subnet</td></tr> 215 <tr><td><code>pods</code></td><td>The cluster's pod subnets.</td></tr> 216 <tr><td><code>all</code></td><td>All of the above.</td></tr> 217 </table></p> 218 - type: bugfix 219 title: Ensure that agent.appProtocolStrategy is propagated correctly. 220 body: >- 221 The <code>agent.appProtocolStrategy</code> was inadvertently dropped when moving license related code fromm the 222 OSS repository the repository for the Enterprise version of Telepresence. It has now been restored. 223 - type: bugfix 224 title: Include non-default zero values in output of telepresence config view. 225 body: >- 226 The <code>telepresence config view</code> command will now print zero values in the output when 227 the default for the value is non-zero. 228 - type: bugfix 229 title: Restore ability to run the telepresence CLI in a docker container. 230 body: >- 231 The improvements made to be able to run the telepresence daemon in docker 232 using <code>telepresence connect --docker</code> made it impossible to run 233 both the CLI and the daemon in docker. This commit fixes that and 234 also ensures that the user- and root-daemons are merged in this 235 scenario when the container runs as root. 236 - type: bugfix 237 title: Remote mounts when intercepting with the --replace flag. 238 body: >- 239 A <code>telepresence intercept --replace</code> did not correctly mount all volumes, because when the 240 intercepted container was removed, its mounts were no longer visible to the agent-injector when it 241 was subjected to a second invocation. The container is now kept in place, but with an image that 242 just sleeps infinitely. 243 - type: bugfix 244 title: Intercepting with the --replace flag will no longer require all subsequent intercepts to use --replace. 245 body: >- 246 A <code>telepresence intercept --replace</code> will no longer switch the mode of the intercepted workload, 247 forcing all subsequent intercepts on that workload to use <code>--replace</code> until the agent is 248 uninstalled. Instead, <code>--replace</code> can be used interchangeably just like any other intercept flag. 249 - type: bugfix 250 title: Kubeconfig exec authentication with context names containing colon didn't work on Windows 251 body: >- 252 The logic added to allow the root daemon to connect directly to the cluster using the user daemon as a proxy 253 for exec type authentication in the kube-config, didn't take into account that a context name sometimes 254 contains the colon ":" character. That character cannot be used in filenames on windows because it is the 255 drive letter separator. 256 - type: bugfix 257 title: Provide agent name and tag as separate values in Helm chart 258 body: >- 259 The <code>AGENT_IMAGE</code> was a concatenation of the agent's name and tag. This is now changed so that the 260 env instead contains an <code>AGENT_IMAGE_NAME</code> and <code>AGENT_INAGE_TAG</code>. The <code>AGENT_IMAGE 261 </code> is removed. Also, a new env <code>REGISTRY</code> is added, where the registry of the traffic- 262 manager image is provided. The <code>AGENT_REGISTRY</code> is no longer required 263 and will default to <code>REGISTRY</code> if not set. 264 - type: bugfix 265 title: Environment interpolation expressions were prefixed twice. 266 body: >- 267 Telepresence would sometimes prefix environment interpolation expressions in the traffic-agent twice so 268 that an expression that looked like <code>$(SOME_NAME)</code> in the app-container, ended up as <code> 269 $(_TEL_APP_A__TEL_APP_A_SOME_NAME)</code> in the corresponding expression in the traffic-agent. 270 - type: bugfix 271 title: Panic in root-daemon on darwin workstations with full access to cluster network. 272 body: >- 273 A darwin machine with full access to the cluster's subnets will never create a TUN-device, and a check was 274 missing if the device actually existed, which caused a panic in the root daemon. 275 - type: bugfix 276 title: Show allow-conflicting-subnets in telepresence status and telepresence config view. 277 body: >- 278 The <code>telepresence status</code> and <code>telepresence config view</code> commands didn't show the 279 <code>allowConflictingSubnets</code> CIDRs because the value wasn't propagated correctly to the CLI. 280 - type: feature 281 title: It is now possible use a host-based connection and containerized connections simultaneously. 282 body: >- 283 Only one host-based connection can exist because that connection will alter the DNS to reflect the namespace 284 of the connection. but it's now possible to create additional connections using <code>--docker</code> while 285 retaining the host-based connection. 286 - type: feature 287 title: Ability to set the hostname of a containerized daemon. 288 body: >- 289 The hostname of a containerized daemon defaults to be the container's ID in Docker. You now can override the 290 hostname using <code>telepresence connect --docker --hostname <a name></code>. 291 - type: feature 292 title: New <code>--multi-daemon</code>flag to enforce a consistent structure for the status command output. 293 body: >- 294 The output of the <code>telepresence status</code> when using <code>--output json</code> or <code>--output 295 yaml</code> will either show an object where the <code>user_daemon</code> and <code>root_daemon</code> 296 are top level elements, or when multiple connections are used, an object where a <code>connections</code> 297 list contains objects with those daemons. The flag <code>--multi-daemon</code> will enforce the latter 298 structure even when only one daemon is connected so that the output can be parsed consistently. The reason 299 for keeping the former structure is to retain backward compatibility with existing parsers. 300 - type: bugfix 301 title: Make output from telepresence quit more consistent. 302 body: >- 303 A quit (without -s) just disconnects the host user and root daemons but will quit a container based daemon. 304 The message printed was simplified to remove some have/has is/are errors caused by the difference. 305 - type: bugfix 306 title: "Fix "tls: bad certificate" errors when refreshing the mutator-webhook secret" 307 body: >- 308 The <code>agent-injector</code> service will now refresh the secret used by the <code>mutator-webhook</code> 309 each time a new connection is established, thus preventing the certificates to go out-of-sync when 310 the secret is regenerated. 311 - type: bugfix 312 title: Keep telepresence-agents configmap in sync with pod states. 313 body: >- 314 An intercept attempt that resulted in a timeout due to failure of injecting the traffic-agent left the 315 <code>telepresence-agents</code> configmap in a state that indicated that an agent had been added, which 316 caused problems for subsequent intercepts after the problem causing the first failure had been fixed. 317 - type: bugfix 318 title: The <code>telepresence status</code> command will now report the status of all running daemons. 319 body: >- 320 A <code>telepresence status</code>, issued when multiple containerized daemons were active, would error with 321 "multiple daemons are running, please select one using the --use <match> flag". This is now 322 fixed so that the command instead reports the status of all running daemons. 323 - type: bugfix 324 title: The <code>telepresence version</code> command will now report the version of all running daemons. 325 body: >- 326 A <code>telepresence version</code>, issued when multiple containerized daemons were active, would error with 327 "multiple daemons are running, please select one using the --use <match> flag". This is now 328 fixed so that the command instead reports the version of all running daemons. 329 - type: bugfix 330 title: Multiple containerized daemons can now be disconnected using <code>telepresence quit -s</code> 331 body: >- 332 A <code>telepresence quit -s</code>, issued when multiple containerized daemons were active, would error with 333 "multiple daemons are running, please select one using the --use <match> flag". This is now 334 fixed so that the command instead quits all daemons. 335 - type: bugfix 336 title: The DNS search path on Windows is now restored when Telepresence quits 337 body: >- 338 The DNS search path that Telepresence uses to simulate the DNS lookup functionality in the connected 339 cluster namespace was not removed by a <code>telepresence quit</code>, resulting in connectivity problems 340 from the workstation. Telepresence will now remove the entries that it has added to the search list when 341 it quits. 342 - type: bugfix 343 title: The user-daemon would sometimes get killed when used by multiple simultaneous CLI clients. 344 body: >- 345 The user-daemon would die with a fatal "fatal error: concurrent map writes" error in the 346 <code>connector.log</code>, effectively killing the ongoing connection. 347 - type: bugfix 348 title: Multiple services ports using the same target port would not get intercepted correctly. 349 body: >- 350 Intercepts didn't work when multiple service ports were using the same container port. Telepresence would 351 think that one of the ports wasn't intercepted and therefore disable the intercept of the container port. 352 - type: bugfix 353 title: Root daemon refuses to disconnect. 354 body: >- 355 The root daemon would sometimes hang forever when attempting to disconnect due to a deadlock in 356 the VIF-device. 357 - type: bugfix 358 title: Fix panic in user daemon when traffic-manager was unreachable 359 body: >- 360 The user daemon would panic if the traffic-manager was unreachable. It will now instead report 361 a proper error to the client. 362 - type: change 363 title: Removal of backward support for versions predating 2.6.0 364 body: >- 365 The telepresence helm installer will no longer discover and convert workloads that were modified by versions 366 prior to 2.6.0. The traffic manager will and no longer support the muxed tunnels used in versions prior to 367 2.5.0. 368 - version: 2.17.0 369 date: "2023-11-14" 370 notes: 371 - type: feature 372 title: Additional Prometheus metrics to track intercept/connect activity 373 body: >- 374 This feature adds the following metrics to the Prometheus endpoint: <code>connect_count</code>, 375 <code>connect_active_status</code>, <code>intercept_count</code>, and <code>intercept_active_status</code. 376 These are labeled by client/install_id. 377 Additionally, the <code>intercept_count</code> metric has been renamed to <code>active_intercept_count</code> 378 for clarity. 379 - type: feature 380 title: Make the Telepresence client docker image configurable. 381 body: >- 382 The docker image used when running a Telepresence intercept in docker mode can now be configured using 383 the setting <code>images.clientImage</code> and will default first to the value of the environment <code> 384 TELEPRESENCE_CLIENT_IMAGE</code>, and then to the value preset by the telepresence binary. This 385 configuration setting is primarily intended for testing purposes. 386 - type: feature 387 title: Use traffic-agent port-forwards for outbound and intercepted traffic. 388 body: >- 389 The telepresence TUN-device is now capable of establishing direct port-forwards to a traffic-agent in the 390 connected namespace. That port-forward is then used for all outbound traffic to the device, and also for 391 all traffic that arrives from intercepted workloads. Getting rid of the extra hop via the traffic-manager 392 improves performance and reduces the load on the traffic-manager. The feature can only be used if the client 393 has Kubernetes port-forward permissions to the connected namespace. It can be disabled by setting <code> 394 cluster.agentPortForward</code> to <code>false</code> in <code>config.yml</code>. 395 - type: feature 396 title: Improve outbound traffic performance. 397 body: >- 398 The root-daemon now communicates directly with the traffic-manager instead of routing all outbound traffic 399 through the user-daemon. The root-daemon uses a patched kubeconfig where <code>exec</code> configurations to 400 obtain credentials are dispatched to the user-daemon. This to ensure that all authentication plugins will 401 execute in user-space. The old behavior of routing everything through the user-daemon can be restored by 402 setting <code>cluster.connectFromRootDaemon</code> to <code>false</code> in <code>config.yml</code>. 403 - type: feature 404 title: New networking CLI flag --allow-conflicting-subnets 405 body: >- 406 telepresence connect (and other commands that kick off a connect) now accepts an --allow-conflicting-subnets 407 CLI flag. This is equivalent to client.routing.allowConflictingSubnets in the helm chart, but can be specified 408 at connect time. It will be appended to any configuration pushed from the traffic manager. 409 - type: change 410 title: Warn if large version mismatch between traffic manager and client. 411 body: >- 412 Print a warning if the minor version diff between the client and the traffic manager is greater than three. 413 - type: change 414 title: The authenticator binary was removed from the docker image. 415 body: >- 416 The <code>authenticator</code> binary, used when serving proxied <code>exec</code> kubeconfig credential 417 retrieval, has been removed. The functionality was instead added as a subcommand to the <code>telepresence 418 </code> binary. 419 - version: 2.16.1 420 date: "2023-10-12" 421 notes: 422 - type: feature 423 title: Add --docker-debug flag to the telepresence intercept command. 424 body: >- 425 This flag is similar to <code>--docker-build</code> but will start the container with more relaxed security 426 using the <code>docker run</code> flags <code>--security-opt apparmor=unconfined --cap-add SYS_PTRACE</code>. 427 - type: feature 428 title: Add a --export option to the telepresence connect command. 429 body: >- 430 In some situations it is necessary to make some ports available to the 431 host from a containerized telepresence daemon. This commit adds a 432 repeatable <code>--expose <docker port exposure></code> flag to the connect 433 command. 434 - type: feature 435 title: Prevent agent-injector webhook from selecting from kube-xxx namespaces. 436 body: >- 437 The <code>kube-system</code> and <code>kube-node-lease</code> namespaces should not be affected by a 438 global agent-injector webhook by default. A default <code>namespaceSelector</code> was therefore added 439 to the Helm Chart <code>agentInjector.webhook</code> that contains a <code>NotIn</code> preventing those 440 namespaces from being selected. 441 - type: bugfix 442 title: Backward compatibility for pod template TLS annotations. 443 body: >- 444 Users of Telepresence < 2.9.0 that make use of the pod template TLS annotations were unable to upgrade because 445 the annotation names have changed (now prefixed by "telepresence."), and the environment expansion of the 446 annotation values was dropped. This fix restores support for the old names (while retaining the new ones) and 447 the environment expansion. 448 - type: security 449 title: Built with go 1.21.3 450 body: >- 451 Built Telepresence with go 1.21.3 to address CVEs. 452 - type: bugfix 453 title: Match service selector against pod template labels 454 body: >- 455 When listing intercepts (typically by calling <code>telepresence list</code>) selectors of services are matched 456 against workloads. Previously the match was made against the labels of the workload, but now they are matched 457 against the labels pod template of the workload. Since the service would actually be matched against pods this 458 is more correct. The most common case when this makes a difference is that statefulsets now are listed when they should. 459 - version: 2.16.0 460 date: "2023-10-02" 461 notes: 462 - type: bugfix 463 title: The helm sub-commands will no longer start the user daemon. 464 body: >- 465 The <code>telepresence helm install/upgrade/uninstall</code> commands will no longer start the telepresence 466 user daemon because there's no need to connect to the traffic-manager in order for them to execute. 467 - type: bugfix 468 title: Routing table race condition 469 body: >- 470 A race condition would sometimes occur when a Telepresence TUN device was deleted and another created in rapid 471 succession that caused the routing table to reference interfaces that no longer existed. 472 - type: bugfix 473 title: Stop lingering daemon container 474 body: >- 475 When using <code>telepresence connect --docker</code>, a lingering container could be present, causing errors 476 like "The container name NN is already in use by container XX ...". When this happens, the connect 477 logic will now give the container some time to stop and then call <code>docker stop NN</code> to stop it 478 before retrying to start it. 479 - type: bugfix 480 title: Add file locking to the Telepresence cache 481 body: >- 482 Files in the Telepresence cache are accesses by multiple processes. The processes will now use advisory 483 locks on the files to guarantee consistency. 484 - type: change 485 title: Lock connection to namespace 486 body: >- 487 The behavior changed so that a connected Telepresence client is bound to a namespace. The namespace can then 488 not be changed unless the client disconnects and reconnects. A connection is also given a name. The default 489 name is composed from <code><kube context name>-<namespace></code> but can be given explicitly 490 when connecting using <code>--name</code>. The connection can optionally be identified using the option 491 <code>--use <name match></code> (only needed when docker is used and more than one connection is active). 492 - type: change 493 title: Deprecation of global --context and --docker flags. 494 body: >- 495 The global flags <code>--context</code> and <code>--docker</code> will now be considered deprecated unless used 496 with commands that accept the full set of Kubernetes flags (e.g. <code>telepresence connect</code>). 497 - type: change 498 title: Deprecation of the --namespace flag for the intercept command. 499 body: >- 500 The <code>--namespace</code> flag is now deprecated for <code>telepresence intercept</code> command. The flag can instead 501 be used with all commands that accept the full set of Kubernetes flags (e.g. <code>telepresence connect</code>). 502 - type: change 503 title: Legacy code predating version 2.6.0 was removed. 504 body: >- 505 The telepresence code-base still contained a lot of code that would modify workloads instead of relying on 506 the mutating webhook installer when a traffic-manager version predating version 2.6.0 was discovered. This 507 code has now been removed. 508 - type: feature 509 title: Add `telepresence list-namespaces` and `telepresence list-contexts` commands 510 body: >- 511 These commands can be used to check accessible namespaces and for automation. 512 - type: change 513 title: Implicit connect warning 514 body: >- 515 A deprecation warning will be printed if a command other than <code>telepresence connect</code> causes an 516 implicit connect to happen. Implicit connects will be removed in a future release. 517 - version: 2.15.1 518 date: "2023-09-06" 519 notes: 520 - type: security 521 title: Rebuild with go 1.21.1 522 body: >- 523 Rebuild Telepresence with go 1.21.1 to address CVEs. 524 - type: security 525 title: Set security context for traffic agent 526 body: >- 527 Openshift users reported that the traffic agent injection was failing due to a missing security context. 528 - version: 2.15.0 529 date: "2023-08-29" 530 notes: 531 - type: security 532 title: Add ASLR to telepresence binaries 533 body: >- 534 ASLR hardens binary sercurity against fixed memory attacks. 535 - type: feature 536 title: Added client builds for arm64 architecture. 537 body: >- 538 Updated the release workflow files in github actions to including building and publishing the client binaries for arm64 architecture. 539 docs: https://github.com/telepresenceio/telepresence/issues/3259 540 - type: bugfix 541 title: KUBECONFIG env var can now be used with the docker mode. 542 body: >- 543 If provided, the KUBECONFIG environment variable was passed to the kubeauth-foreground service as a parameter. 544 However, since it didn't exist, the CLI was throwing an error when using <code>telepresence connect --docker</code>. 545 docs: https://github.com/telepresenceio/telepresence/pull/3300 546 - type: bugfix 547 title: Fix deadlock while watching workloads 548 body: >- 549 The <code>telepresence list --output json-stream</code> wasn't releasing the session's lock after being 550 stopped, including with a <code>telepresence quit</code>. The user could be blocked as a result. 551 docs: https://github.com/telepresenceio/telepresence/pull/3298 552 - type: bugfix 553 title: Change json output of telepresence list command 554 body: >- 555 Replace deprecated info in the JSON output of the telepresence list command. 556 - version: 2.14.4 557 date: "2023-08-21" 558 notes: 559 - type: bugfix 560 title: Nil pointer exception when upgrading the traffic-manager. 561 body: >- 562 Upgrading the traffic-manager using <code>telepresence helm upgrade</code> would sometimes 563 result in a helm error message <q>executing "telepresence/templates/intercept-env-configmap.yaml" 564 at <.Values.intercept.environment.excluded>: nil pointer evaluating interface {}.excluded"</q> 565 docs: https://github.com/telepresenceio/telepresence/issues/3313 566 - version: 2.14.2 567 date: "2023-07-26" 568 notes: 569 - type: bugfix 570 title: Telepresence now use the OSS agent in its latest version by default. 571 body: >- 572 The traffic manager admin was forced to set it manually during the chart installation. 573 docs: https://github.com/telepresenceio/telepresence/issues/3271 574 - version: 2.14.1 575 date: "2023-07-07" 576 notes: 577 - type: feature 578 title: Envoy's http idle timout is now configurable. 579 body: >- 580 A new <code>agent.helm.httpIdleTimeout</code> setting was added to the Helm chart that controls 581 the proprietary Traffic agent's http idle timeout. The default of one hour, which in some situations 582 would cause a lot of resource consuming and lingering connections, was changed to 70 seconds. 583 - type: feature 584 title: Add more gauges to the Traffic manager's Prometheus client. 585 body: >- 586 Several gauges were added to the Prometheus client to make it easier to monitor 587 what the Traffic manager spends resources on. 588 - type: feature 589 title: Agent Pull Policy 590 body: >- 591 Add option to set traffic agent pull policy in helm chart. 592 - type: bugfix 593 title: Resource leak in the Traffic manager. 594 body: >- 595 Fixes a resource leak in the Traffic manager caused by lingering tunnels between the clients and 596 Traffic agents. The tunnels are now closed correctly when terminated from the side that created them. 597 - type: bugfix 598 title: Fixed problem setting traffic manager namespace using the kubeconfig extension. 599 body: >- 600 Fixes a regression introduced in version 2.10.5, making it impossible to set the traffic-manager namespace 601 using the telepresence.io kubeconfig extension. 602 docs: https://www.getambassador.io/docs/telepresence/latest/reference/config#manager 603 - version: 2.14.0 604 date: "2023-06-12" 605 notes: 606 - type: feature 607 title: DNS configuration now supports excludes and mappings. 608 body: >- 609 The DNS configuration now supports two new fields, excludes and mappings. The excludes field allows you to 610 exclude a given list of hostnames from resolution, while the mappings field can be used to resolve a hostname with 611 another. 612 docs: https://github.com/telepresenceio/telepresence/pull/3172 613 614 - type: feature 615 title: Added the ability to exclude environment variables 616 body: >- 617 Added a new config map that can take an array of environment variables that will 618 then be excluded from an intercept that retrieves the environment of a pod. 619 620 - type: bugfix 621 title: Fixed traffic-agent backward incompatibility issue causing lack of remote mounts 622 body: >- 623 A traffic-agent of version 2.13.3 (or 1.13.15) would not propagate the directories under 624 <code>/var/run/secrets</code> when used with a traffic manager older than 2.13.3. 625 626 - type: bugfix 627 title: Fixed race condition causing segfaults on rare occasions when a tunnel stream timed out. 628 body: >- 629 A context cancellation could sometimes be trapped in a stream reader, causing it to incorrectly return 630 an undefined message which in turn caused the parent reader to panic on a <code>nil</code> pointer reference. 631 docs: https://github.com/telepresenceio/telepresence/pull/2963 632 633 - type: change 634 title: Routing conflict reporting. 635 body: >- 636 Telepresence will now attempt to detect and report routing conflicts with other running VPN software on client machines. 637 There is a new configuration flag that can be tweaked to allow certain CIDRs to be overridden by Telepresence. 638 639 - type: change 640 title: test-vpn command deprecated 641 body: >- 642 Running telepresence test-vpn will now print a deprecation warning and exit. The command will be removed in a future release. 643 Instead, please configure telepresence for your VPN's routes. 644 - version: 2.13.3 645 date: "2023-05-25" 646 notes: 647 - type: feature 648 title: Add imagePullSecrets to hooks 649 body: >- 650 Add .Values.hooks.curl.imagePullSecrets and .Values.hooks curl.imagePullSecrets to Helm values. 651 docs: https://github.com/telepresenceio/telepresence/pull/3079 652 653 - type: change 654 title: Change reinvocation policy to Never for the mutating webhook 655 body: >- 656 The default setting of the reinvocationPolicy for the mutating webhook dealing with agent injections changed from Never to IfNeeded. 657 658 - type: bugfix 659 title: Fix mounting fail of IAM roles for service accounts web identity token 660 body: >- 661 The eks.amazonaws.com/serviceaccount volume injected by EKS is now exported and remotely mounted during an intercept. 662 docs: https://github.com/telepresenceio/telepresence/issues/3166 663 664 - type: bugfix 665 title: Correct namespace selector for cluster versions with non-numeric characters 666 body: >- 667 The mutating webhook now correctly applies the namespace selector even if the cluster version contains non-numeric characters. For example, it can now handle versions such as Major:"1", Minor:"22+". 668 docs: https://github.com/telepresenceio/telepresence/pull/3184 669 670 - type: bugfix 671 title: Enable IPv6 on the telepresence docker network 672 body: >- 673 The "telepresence" Docker network will now propagate DNS AAAA queries to the Telepresence DNS resolver when it runs in a Docker container. 674 docs: https://github.com/telepresenceio/telepresence/issues/3179 675 676 - type: bugfix 677 title: Fix the crash when intercepting with --local-only and --docker-run 678 body: >- 679 Running telepresence intercept --local-only --docker-run no longer results in a panic. 680 docs: https://github.com/telepresenceio/telepresence/issues/3171 681 682 - type: bugfix 683 title: Fix incorrect error message with local-only mounts 684 body: >- 685 Running telepresence intercept --local-only --mount false no longer results in an incorrect error message saying "a local-only intercept cannot have mounts". 686 docs: https://github.com/telepresenceio/telepresence/issues/3171 687 688 - type: bugfix 689 title: specify port in hook urls 690 body: >- 691 The helm chart now correctly handles custom agentInjector.webhook.port that was not being set in hook URLs. 692 docs: https://github.com/telepresenceio/telepresence/pull/3161 693 694 - type: bugfix 695 title: Fix wrong default value for disableGlobal and agentArrival 696 body: >- 697 Params .intercept.disableGlobal and .timeouts.agentArrival are now correctly honored.