Merge master into PR #11672

.github/workflows/_build_publish.yaml

@@ -54,7 +54,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}
@@ -105,7 +105,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}
@@ -128,7 +128,7 @@ jobs:
           make test/container-structure/${{ matrix.image }}
       - name: scan amd64 image
         id: scan_image-amd64
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
         with:
           asset_prefix: image_${{ matrix.image }}-amd64
           image: ./build/docker/${{ matrix.image }}-amd64.tar
@@ -137,7 +137,7 @@ jobs:
       - name: scan arm64 image
         id: scan_image-arm64
         if: ${{ fromJSON(inputs.FULL_MATRIX) }}
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
         with:
           asset_prefix: image_${{ matrix.image }}-arm64
           image: ./build/docker/${{ matrix.image }}-arm64.tar
@@ -186,7 +186,7 @@ jobs:
       - name: sign image
         if: ${{ fromJSON(inputs.ALLOW_PUSH) }}
         id: sign
-        uses: Kong/public-shared-actions/security-actions/sign-docker-image@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2
+        uses: Kong/public-shared-actions/security-actions/sign-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
         with:
           image_digest: ${{ steps.image_digest.outputs.digest }}
           tags: ${{ steps.image_meta.outputs.image }}
@@ -227,7 +227,7 @@ jobs:
           go-version-file: go.mod
           cache-dependency-path: |
             go.sum
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}

.github/workflows/_e2e.yaml

@@ -34,7 +34,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}

.github/workflows/_test.yaml

@@ -26,7 +26,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}
@@ -51,7 +51,7 @@ jobs:
               "test_e2e": {
                 "target": [""],
                 "k8sVersion": ["kindIpv6", "${{ env.K8S_MIN_VERSION }}", "${{ env.K8S_MAX_VERSION }}"],
-                "arch": ["amd64"],
+                "arch": ["arm64"],
                 "parallelism": [4],
                 "cniNetworkPlugin": ["flannel"],
                 "sidecarContainers": [""]
@@ -70,8 +70,8 @@ jobs:
                 ],
                 "include":[
                   {"sidecarContainers": "sidecarContainers", "k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "kubernetes", "arch": "amd64"},
-                  {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "multizone", "arch": "arm64"},
-                  {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "kubernetes", "arch": "arm64"},
+                  {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "multizone", "arch": "amd64"},
+                  {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "kubernetes", "arch": "amd64"},
                   {"k8sVersion": "kind", "target": "universal", "arch": "arm64"},
                   {"k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "gatewayapi", "arch": "amd64"},
                   {"cniNetworkPlugin": "calico", "k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "multizone", "arch": "amd64"}

.github/workflows/build-test-distribute.yaml

@@ -13,6 +13,9 @@ permissions:
 env:
   KUMA_DIR: "."
   CI_TOOLS_DIR: "/home/runner/work/kuma/kuma/.ci_tools"
+concurrency:
+  group: ${{github.workflow}}-${{ github.event_name == 'push' && github.sha || github.event.pull_request.number }}
+  cancel-in-progress: ${{ github.event_name == 'push' && false || true }}
 jobs:
   check:
     permissions:
@@ -48,11 +51,11 @@ jobs:
         with:
           go-version-file: go.mod
           cache: false
-      - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
+      - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
           args: --fix=false --verbose
           version: v1.60.3
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}
@@ -66,7 +69,7 @@ jobs:
       - run: |
           make check
       - id: sca-project
-        uses: Kong/public-shared-actions/security-actions/sca@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2
+        uses: Kong/public-shared-actions/security-actions/sca@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
         with:
           dir: .
           config: .syft.yaml

.github/workflows/check.yaml

@@ -43,7 +43,7 @@ jobs:
         run: |
           tools/ci/needs_backporting.sh "${{ github.repository }}" "${{ github.event.pull_request.number }}" "origin/${{ github.base_ref }}" "HEAD" "$PREDEFINED_GLOBS" "$LABEL_TO_ADD" "$NO_BACKPORT_AUTOLABEL"
       - name: Add checklist comment
-        if: github.event.action == 'opened' && github.event.pull_request.author != 'dependabot'
+        if: false # disable as it doesn't work github.event.action == 'opened' && github.event.pull_request.author != 'dependabot'
         env:
           GITHUB_TOKEN: ${{ github.token }}
           CHECKLIST_MESSAGE: |

.github/workflows/ci-stability.yaml

@@ -2,9 +2,16 @@ name: Check CI stability for PRs with "ci/verify-stability" or "ci/verify-stabil
 
 on:
   schedule:
-    - cron: "0 */2 19-23 * * 1-5"  # From 7 PM to 11 PM Monday to Friday
-    - cron: "0 */2 0-7 * * 2-6"    # From 12 AM to 7 AM Tuesday to Saturday
-    - cron: "0 */2 * * 6,0"        # Every 2 hours on Saturday and Sunday
+    # Monday to Friday: Every 2 hours from 7 PM to 7 AM
+    - cron: "0 19 * * 1-5"
+    - cron: "0 21 * * 1-5"
+    - cron: "0 23 * * 1-5"
+    - cron: "0 1 * * 2-6"
+    - cron: "0 3 * * 2-6"
+    - cron: "0 5 * * 2-6"
+    - cron: "0 7 * * 2-6"
+    # Saturday and Sunday: Every 2 hours all day
+    - cron: "0 */2 * * 6,0"
   workflow_dispatch:  # Allows manual trigger from GitHub Actions UI
 env:
   GH_USER: "github-actions[bot]"
@@ -17,22 +24,21 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: Get open pull requests
-        uses: octokit/[email protected]
-        id: get_prs
-        with:
-          route: GET /repos/${{ github.repository }}/pulls
+      - name: Get open pull requests and save to file
+        run: |
+          gh pr list --json number,labels > open_prs.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Process PRs
         id: process_prs
         run: |
-          pr_numbers_with_verify_stability=$(echo '${{ steps.get_prs.outputs.data }}' | jq -r '.[] | select(.labels[].name == "ci/verify-stability") | .number')
-          pr_numbers_with_verify_stability_merge_master=$(echo '${{ steps.get_prs.outputs.data }}' | jq -r '.[] | select(.labels[].name == "ci/verify-stability-merge-master") | .number')
+          cat open_prs.json
+          pr_numbers_with_verify_stability=$(jq -r '.[] | select(.labels[]?.name == "ci/verify-stability") | .number' open_prs.json)
+          pr_numbers_with_verify_stability_merge_master=$(jq -r '.[] | select(.labels[]?.name == "ci/verify-stability-merge-master") | .number' open_prs.json)
           echo "PRs with 'ci/verify-stability' label: $pr_numbers_with_verify_stability"
           echo "PRs with 'ci/verify-stability-merge-master' label: $pr_numbers_with_verify_stability_merge_master"
-          echo "::set-output name=pr_numbers_with_verify_stability::$pr_numbers_with_verify_stability"
-          echo "::set-output name=pr_numbers_with_verify_stability_merge_master::$pr_numbers_with_verify_stability_merge_master"
+          echo "pr_numbers_with_verify_stability=$pr_numbers_with_verify_stability" >> $GITHUB_OUTPUT
+          echo "pr_numbers_with_verify_stability_merge_master=$pr_numbers_with_verify_stability_merge_master" >> $GITHUB_OUTPUT
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Merge master branch (if applicable) and push a single commit

.github/workflows/codeql.yaml

@@ -24,13 +24,13 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+        uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
         with:
           config-file: ./.github/codeql/codeql-config.yml
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+        uses: github/codeql-action/autobuild@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+        uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/helm-release.yaml

@@ -34,7 +34,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}

.github/workflows/pr-comments.yaml

@@ -47,7 +47,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}

.github/workflows/scorecard.yml

@@ -57,6 +57,6 @@ jobs:
           retention-days: 5
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+        uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
         with:
           sarif_file: results.sarif

.github/workflows/transparentproxy-tests.yaml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}

CHANGELOG.md

@@ -1,6 +1,60 @@
 # Changelog
 <!-- Autogenerated with (github.com/kumahq/ci-tools) release-tool changelog.md -->
 
+## 2.8.4
+> Released on 2024/10/07
+
+* chore(deps): bump coredns from v1.11.1 to v1.11.3 [#11574](https://github.com/kumahq/kuma/pull/11574) @kumahq
+* chore(deps): bump golang from 1.22.7 to 1.22.8 [#11630](https://github.com/kumahq/kuma/pull/11630) @Icarus9913
+* chore(deps): security update [#11330](https://github.com/kumahq/kuma/pull/11330) @kumahq
+* chore(deps): upgrade envoy to 1.30.6 [#11487](https://github.com/kumahq/kuma/pull/11487) @lukidzi
+* fix(MeshTrace): invalid sampling default values (backport of #11548) [#11551](https://github.com/kumahq/kuma/pull/11551) @kumahq
+* fix(egress): same external service tag in multiple meshes (backport of #11667) [#11671](https://github.com/kumahq/kuma/pull/11671) @kumahq
+* fix(meshgateway): do not override annotations from deployment (backport of #10698) [#11616](https://github.com/kumahq/kuma/pull/11616) @kumahq
+* fix(xds): eds deadlock on initial fetch timeout (backport of #11602) [#11606](https://github.com/kumahq/kuma/pull/11606) @kumahq
+* revert(kuma-cp): do not use additional addresses (backport of #11601) [#11609](https://github.com/kumahq/kuma/pull/11609) @kumahq
+
+
+## 2.7.8
+> Released on 2024/10/07
+
+* chore(deps): bump coredns from v1.11.1 to v1.11.3 [#11575](https://github.com/kumahq/kuma/pull/11575) @kumahq
+* chore(deps): bump golang from 1.22.7 to 1.22.8 [#11629](https://github.com/kumahq/kuma/pull/11629) @Icarus9913
+* chore(deps): security update [#11329](https://github.com/kumahq/kuma/pull/11329) @kumahq
+* chore(deps): upgrade envoy to 1.29.9 [#11486](https://github.com/kumahq/kuma/pull/11486) @lukidzi
+* fix(MeshTrace): invalid sampling default values (backport of #11548) [#11552](https://github.com/kumahq/kuma/pull/11552) @kumahq
+* fix(egress): same external service tag in multiple meshes (backport of #11667) [#11670](https://github.com/kumahq/kuma/pull/11670) @kumahq
+* fix(meshgateway): do not override annotations from deployment (backport of #10698) [#11618](https://github.com/kumahq/kuma/pull/11618) @kumahq
+* fix(xds): eds deadlock on initial fetch timeout (backport of #11602) [#11605](https://github.com/kumahq/kuma/pull/11605) @kumahq
+* revert(kuma-cp): do not use additional addresses (backport of #11601) [#11612](https://github.com/kumahq/kuma/pull/11612) @kumahq
+
+
+## 2.6.12
+> Released on 2024/10/06
+
+* chore(deps): bump coredns from v1.11.1 to v1.11.3 [#11576](https://github.com/kumahq/kuma/pull/11576) @kumahq
+* chore(deps): bump golang from 1.22.7 to 1.22.8 [#11628](https://github.com/kumahq/kuma/pull/11628) @Icarus9913
+* chore(deps): security update [#11333](https://github.com/kumahq/kuma/pull/11333) @kumahq
+* chore(deps): upgrade envoy to 1.28.7 [#11485](https://github.com/kumahq/kuma/pull/11485) @lukidzi
+* fix(MeshTrace): invalid sampling default values (backport of #11548) [#11553](https://github.com/kumahq/kuma/pull/11553) @kumahq
+* fix(egress): same external service tag in multiple meshes (backport of #11667) [#11669](https://github.com/kumahq/kuma/pull/11669) @kumahq
+* fix(meshgateway): do not override annotations from deployment (backport of #10698) [#11619](https://github.com/kumahq/kuma/pull/11619) @kumahq
+* fix(xds): eds deadlock on initial fetch timeout (backport of #11602) [#11607](https://github.com/kumahq/kuma/pull/11607) @kumahq
+* revert(kuma-cp): do not use additional addresses (backport of #11601) [#11611](https://github.com/kumahq/kuma/pull/11611) @kumahq
+
+
+## 2.5.11
+> Released on 2024/10/06
+
+* chore(deps): bump coredns from v1.11.1 to v1.11.3 [#11573](https://github.com/kumahq/kuma/pull/11573) @kumahq
+* chore(deps): bump golang from 1.22.7 to 1.22.8 [#11627](https://github.com/kumahq/kuma/pull/11627) @Icarus9913
+* chore(deps): security update [#11332](https://github.com/kumahq/kuma/pull/11332) @kumahq
+* chore(deps): upgrade envoy to 1.28.7 [#11484](https://github.com/kumahq/kuma/pull/11484) @lukidzi
+* fix(egress): same external service tag in multiple meshes (backport of #11667) [#11668](https://github.com/kumahq/kuma/pull/11668) @kumahq
+* fix(meshgateway): do not override annotations from deployment (backport of #10698) [#11617](https://github.com/kumahq/kuma/pull/11617) @kumahq
+* fix(xds): eds deadlock on initial fetch timeout (backport of #11602) [#11608](https://github.com/kumahq/kuma/pull/11608) @kumahq
+
+
 ## 2.8.3
 > Released on 2024/08/30
 

UPGRADE.md

@@ -233,6 +233,12 @@ The values `yes` and `no` are deprecated for specifying boolean values in switch
 
 Please use `true` and `false` as replacements; some boolean switches also support `enabled` and `disabled`. [Check the documentation](https://kuma.io/docs/latest/reference/kubernetes-annotations/) for the specific annotation to confirm the correct replacements.
 
+#### Deprecation of `kuma.io/mesh` annotation
+
+It was previously possible to create a resource in a `Mesh` by providing the `Mesh` name as an annotation, but this support has been deprecated and will be removed in the future.
+
+Please use the `kuma.io/mesh` label instead.
+
 ## Upgrade to `2.8.x`
 
 ### MeshFaultInjection responseBandwidth.limit

app/kumactl/cmd/install/install_transparent_proxy.go

@@ -239,7 +239,15 @@ runuser -u kuma-dp -- \
 	cmd.Flags().Var(&cfg.Redirect.DNS.Port, "redirect-dns-port", "the port where the DNS agent is listening")
 	cmd.Flags().StringVar(&cfg.Redirect.DNS.UpstreamTargetChain, "redirect-dns-upstream-target-chain", cfg.Redirect.DNS.UpstreamTargetChain, "(optional) the iptables chain where the upstream DNS requests should be directed to. It is only applied for IP V4. Use with care.")
 	cmd.Flags().BoolVar(&cfg.StoreFirewalld, "store-firewalld", cfg.StoreFirewalld, "store the iptables changes with firewalld")
-	cmd.Flags().BoolVar(&cfg.Redirect.DNS.SkipConntrackZoneSplit, "skip-dns-conntrack-zone-split", cfg.Redirect.DNS.SkipConntrackZoneSplit, "skip applying conntrack zone splitting iptables rules")
+	cmd.Flags().BoolVar(
+		&cfg.Redirect.DNS.SkipConntrackZoneSplit,
+		"skip-dns-conntrack-zone-split",
+		cfg.Redirect.DNS.SkipConntrackZoneSplit,
+		fmt.Sprintf(
+			"Disables the conntrack zone splitting feature, which is used to avoid DNS resolution errors when applications make numerous DNS UDP requests. Normally, we separate conntrack zones to ensure proper handling of DNS traffic: Zone 2 handles DNS packets between the application and the local proxy, while Zone 1 manages packets between the proxy and upstream DNS resolvers. Disabling this feature should only be done if necessary, for example, in environments where custom iptables rules are already manipulating DNS traffic (e.g., inside Docker containers in custom networks when redirecting all DNS traffic [%s is enabled])",
+			flagRedirectAllDNSTraffic,
+		),
+	)
 	cmd.Flags().BoolVar(&cfg.DropInvalidPackets, "drop-invalid-packets", cfg.DropInvalidPackets, "This flag enables dropping of packets in invalid states, improving application stability by preventing them from reaching the backend. This is particularly beneficial during high-throughput requests where out-of-order packets might bypass DNAT. Note: Enabling this flag may introduce slight performance overhead. Weigh the trade-off between connection stability and performance before enabling it.")
 
 	// ebpf