forked from telepresenceio/telepresence
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG.yml
621 lines (607 loc) · 37.5 KB
/
CHANGELOG.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
# The YAML in this file should contain:
#
# changelog: An (optional) URL to the CHANGELOG for the product.
# items: An array of releases with the following attributes:
# - version: The (optional) version number of the release, if applicable.
# - date: The date of the release in the format YYYY-MM-DD.
# - notes: An array of noteworthy changes included in the release, each having the following attributes:
# - type: The type of change, one of `bugfix`, `feature`, `security` or `change`.
# - title: A short title of the noteworthy change.
# - body: >-
# Two or three sentences describing the change and why it
# is noteworthy. This is HTML, not plain text or
# markdown. It is handy to use YAML's ">-" feature to
# allow line-wrapping.
# - image: >-
# The URL of an image that visually represents the
# noteworthy change. This path is relative to the
# `release-notes` directory; if this file is
# `FOO/releaseNotes.yml`, then the image paths are
# relative to `FOO/release-notes/`.
# - docs: The path to the documentation page where additional information can be found.
# - href: A path from the root to a resource on the getambassador website, takes precedence over a docs link.
#
# For older changes, see CHANGELOG.OLD.md
docTitle: Telepresence Release Notes
docDescription: >-
Release notes for Telepresence by Ambassador Labs, a CNCF project
that enables developers to iterate rapidly on Kubernetes
microservices by arming them with infinite-scale development
environments, access to instantaneous feedback loops, and highly
customizable development environments.
items:
- version: 2.19.0
date: (TBD)
notes:
- type: feature
title: Add ability to mount a webhook secret.
body: >-
A new Helm chart value <code>agentInjector.certificate.accessMethod</code> which can be set to <code>watch</code>
(the default) or <code>mount</code> has been added. The <code>mount</code> setting is intended for clusters with
policies that prevent containers from doing a <code>get</code>, <code>list</code> or <code>watch</code> of a
<code>Secret</code>, but where a latency of up to 90 seconds is acceptable between the time the secret is
regenerated and the agent-injector picks it up.
- type: feature
title: Make it possible to specify ignored volume mounts using path prefix.
body: >-
Volume mounts like <code>/var/run/secrets/kubernetes.io</code> are not declared in the workload. Instead, they
are injected during pod-creation and their names are generated. It is nwo possible to ignore such mounts using a
matching path prefix.
- type: feature
title: Make the telemount Docker Volume plugin configurable
body: >-
A <code>telemount</code> object was added to the <code>intercept</code> object in <code>config.yml</code>
(or Helm value <code>client.intercept</code>), so that the automatic download and installation of this plugin can
be fully customised.
- type: feature
title: Add option to load the kubeconfig yaml from stdin during connect.
body: >-
This allows another process with a kubeconfig already loaded in memory
to directly pass it to <code>telepresence connect</code> without needing a separate
file. Simply use a dash "-" as the filename for the <code>--kubeconfig</code> flag.
- type: change
title: Tracing is no longer enabled by default.
body: >-
Tracing must now be enabled explicitly in order to use the <code>telepresence gather-traces</code>
command.
- type: change
title: Removal of timeouts that are no longer in use
body: >-
The <code>config.yml</code> values <code>timeouts.agentInstall</code> and <code>timeouts.apply</code> haven't
been in use since versions prior to 2.6.0, when the client was responsible for installing the traffic-agent.
These timeouts are now removed from the code-base, and a warning will be printed when attempts are made to use
them.
- version: 2.18.1
date: (TBD)
notes:
- type: bugfix
title: Get rid of telemount plugin stickiness
body: >-
The <code>datawire/telemount</code> that is automatically downloaded and installed, would never be
updated once the installation was made. Telepresence will now check for the latest release of the
plugin and cache the result of that check for 24 hours. If a new version arrives, it will be
installed and used.
- type: bugfix
title: Use route instead of address for CIDRs with masks that don't allow "via"
body: >-
A CIDR with a mask that leaves less than two bits (/31 or /32 for IPv4)
cannot be added as an address to the VIF, because such addresses must
have bits allowing a "via" IP.
The logic was modified to allow such CIDRs to become static routes, using the
VIF base address as their "via", rather than being VIF addresses in their own right.
- type: bugfix
title: Containerized daemon created cache files owned by root
body: >-
When using <code>telepresence connect --docker</code> to create a containerized daemon, that
daemon would sometimes create files in the cache that were owned by root, which then caused
problems when connecting without the <code>--docker</code> flag.
- type: bugfix
title: Remove large number of requests when traffic-manager is used in large clusters.
body: >-
The traffic-manager would make a very large number of API requests during cluster start-up
or when many services were changed for other reasons. The logic that did this was refactored
and the number of queries were significantly reduced.
- type: bugfix
title: Don't patch probes on replaced containers.
body: >-
A container that is being replaced by a <code>telepresence intercept --replace</code>
invocation will have no liveness-, readiness, nor startup-probes. Telepresence didn't
take this into consideration when injecting the traffic-agent, but now it will refrain
from patching symbolic port names of those probes.
- type: bugfix
title: Don't rely on context name when deciding if a kind cluster is used.
body: >-
The code that auto-patches the kubeconfig when connecting to a kind cluster from within
a docker container, relied on the context name starting with "kind-", but although all
contexts created by kind have that name, the user is still free to rename it or to create
other contexts using the same connection properties. The logic was therefore changed
to instead look for a loopback service address.
- version: 2.18.0
date: "2024-2-9"
notes:
- type: feature
title: Include the image for the traffic-agent in the output of the version and status commands.
body: >-
The version and status commands will now output the image that the traffic-agent will be using when injected
by the agent-injector.
- type: feature
title: Custom DNS using the client DNS resolver.
body: >-
<p>A new <code>telepresence connect --proxy-via CIDR=WORKLOAD</code> flag was introduced, allowing Telepresence
to translate DNS responses matching specific subnets into virtual IPs that are used locally. Those virtual IPs
are then routed (with reverse translation) via the pod's of a given workload. This makes it possible to handle
custom DNS servers that resolve domains into loopback IPs. The flag may also be used in cases where the
cluster's subnets are in conflict with the workstation's VPN.</p>
<p>The CIDR can also be a symbolic name that identifies a subnet or list of subnets:<table>
<tr><td><code>also</code></td><td>All subnets added with --also-proxy</td></tr>
<tr><td><code>service</code></td><td>The cluster's service subnet</td></tr>
<tr><td><code>pods</code></td><td>The cluster's pod subnets.</td></tr>
<tr><td><code>all</code></td><td>All of the above.</td></tr>
</table></p>
- type: bugfix
title: Ensure that agent.appProtocolStrategy is propagated correctly.
body: >-
The <code>agent.appProtocolStrategy</code> was inadvertently dropped when moving license related code fromm the
OSS repository the repository for the Enterprise version of Telepresence. It has now been restored.
- type: bugfix
title: Include non-default zero values in output of telepresence config view.
body: >-
The <code>telepresence config view</code> command will now print zero values in the output when
the default for the value is non-zero.
- type: bugfix
title: Restore ability to run the telepresence CLI in a docker container.
body: >-
The improvements made to be able to run the telepresence daemon in docker
using <code>telepresence connect --docker</code> made it impossible to run
both the CLI and the daemon in docker. This commit fixes that and
also ensures that the user- and root-daemons are merged in this
scenario when the container runs as root.
- type: bugfix
title: Remote mounts when intercepting with the --replace flag.
body: >-
A <code>telepresence intercept --replace</code> did not correctly mount all volumes, because when the
intercepted container was removed, its mounts were no longer visible to the agent-injector when it
was subjected to a second invocation. The container is now kept in place, but with an image that
just sleeps infinitely.
- type: bugfix
title: Intercepting with the --replace flag will no longer require all subsequent intercepts to use --replace.
body: >-
A <code>telepresence intercept --replace</code> will no longer switch the mode of the intercepted workload,
forcing all subsequent intercepts on that workload to use <code>--replace</code> until the agent is
uninstalled. Instead, <code>--replace</code> can be used interchangeably just like any other intercept flag.
- type: bugfix
title: Kubeconfig exec authentication with context names containing colon didn't work on Windows
body: >-
The logic added to allow the root daemon to connect directly to the cluster using the user daemon as a proxy
for exec type authentication in the kube-config, didn't take into account that a context name sometimes
contains the colon ":" character. That character cannot be used in filenames on windows because it is the
drive letter separator.
- type: bugfix
title: Provide agent name and tag as separate values in Helm chart
body: >-
The <code>AGENT_IMAGE</code> was a concatenation of the agent's name and tag. This is now changed so that the
env instead contains an <code>AGENT_IMAGE_NAME</code> and <code>AGENT_INAGE_TAG</code>. The <code>AGENT_IMAGE
</code> is removed. Also, a new env <code>REGISTRY</code> is added, where the registry of the traffic-
manager image is provided. The <code>AGENT_REGISTRY</code> is no longer required
and will default to <code>REGISTRY</code> if not set.
- type: bugfix
title: Environment interpolation expressions were prefixed twice.
body: >-
Telepresence would sometimes prefix environment interpolation expressions in the traffic-agent twice so
that an expression that looked like <code>$(SOME_NAME)</code> in the app-container, ended up as <code>
$(_TEL_APP_A__TEL_APP_A_SOME_NAME)</code> in the corresponding expression in the traffic-agent.
- type: bugfix
title: Panic in root-daemon on darwin workstations with full access to cluster network.
body: >-
A darwin machine with full access to the cluster's subnets will never create a TUN-device, and a check was
missing if the device actually existed, which caused a panic in the root daemon.
- type: bugfix
title: Show allow-conflicting-subnets in telepresence status and telepresence config view.
body: >-
The <code>telepresence status</code> and <code>telepresence config view</code> commands didn't show the
<code>allowConflictingSubnets</code> CIDRs because the value wasn't propagated correctly to the CLI.
- type: feature
title: It is now possible use a host-based connection and containerized connections simultaneously.
body: >-
Only one host-based connection can exist because that connection will alter the DNS to reflect the namespace
of the connection. but it's now possible to create additional connections using <code>--docker</code> while
retaining the host-based connection.
- type: feature
title: Ability to set the hostname of a containerized daemon.
body: >-
The hostname of a containerized daemon defaults to be the container's ID in Docker. You now can override the
hostname using <code>telepresence connect --docker --hostname <a name></code>.
- type: feature
title: New <code>--multi-daemon</code>flag to enforce a consistent structure for the status command output.
body: >-
The output of the <code>telepresence status</code> when using <code>--output json</code> or <code>--output
yaml</code> will either show an object where the <code>user_daemon</code> and <code>root_daemon</code>
are top level elements, or when multiple connections are used, an object where a <code>connections</code>
list contains objects with those daemons. The flag <code>--multi-daemon</code> will enforce the latter
structure even when only one daemon is connected so that the output can be parsed consistently. The reason
for keeping the former structure is to retain backward compatibility with existing parsers.
- type: bugfix
title: Make output from telepresence quit more consistent.
body: >-
A quit (without -s) just disconnects the host user and root daemons but will quit a container based daemon.
The message printed was simplified to remove some have/has is/are errors caused by the difference.
- type: bugfix
title: "Fix "tls: bad certificate" errors when refreshing the mutator-webhook secret"
body: >-
The <code>agent-injector</code> service will now refresh the secret used by the <code>mutator-webhook</code>
each time a new connection is established, thus preventing the certificates to go out-of-sync when
the secret is regenerated.
- type: bugfix
title: Keep telepresence-agents configmap in sync with pod states.
body: >-
An intercept attempt that resulted in a timeout due to failure of injecting the traffic-agent left the
<code>telepresence-agents</code> configmap in a state that indicated that an agent had been added, which
caused problems for subsequent intercepts after the problem causing the first failure had been fixed.
- type: bugfix
title: The <code>telepresence status</code> command will now report the status of all running daemons.
body: >-
A <code>telepresence status</code>, issued when multiple containerized daemons were active, would error with
"multiple daemons are running, please select one using the --use <match> flag". This is now
fixed so that the command instead reports the status of all running daemons.
- type: bugfix
title: The <code>telepresence version</code> command will now report the version of all running daemons.
body: >-
A <code>telepresence version</code>, issued when multiple containerized daemons were active, would error with
"multiple daemons are running, please select one using the --use <match> flag". This is now
fixed so that the command instead reports the version of all running daemons.
- type: bugfix
title: Multiple containerized daemons can now be disconnected using <code>telepresence quit -s</code>
body: >-
A <code>telepresence quit -s</code>, issued when multiple containerized daemons were active, would error with
"multiple daemons are running, please select one using the --use <match> flag". This is now
fixed so that the command instead quits all daemons.
- type: bugfix
title: The DNS search path on Windows is now restored when Telepresence quits
body: >-
The DNS search path that Telepresence uses to simulate the DNS lookup functionality in the connected
cluster namespace was not removed by a <code>telepresence quit</code>, resulting in connectivity problems
from the workstation. Telepresence will now remove the entries that it has added to the search list when
it quits.
- type: bugfix
title: The user-daemon would sometimes get killed when used by multiple simultaneous CLI clients.
body: >-
The user-daemon would die with a fatal "fatal error: concurrent map writes" error in the
<code>connector.log</code>, effectively killing the ongoing connection.
- type: bugfix
title: Multiple services ports using the same target port would not get intercepted correctly.
body: >-
Intercepts didn't work when multiple service ports were using the same container port. Telepresence would
think that one of the ports wasn't intercepted and therefore disable the intercept of the container port.
- type: bugfix
title: Root daemon refuses to disconnect.
body: >-
The root daemon would sometimes hang forever when attempting to disconnect due to a deadlock in
the VIF-device.
- type: bugfix
title: Fix panic in user daemon when traffic-manager was unreachable
body: >-
The user daemon would panic if the traffic-manager was unreachable. It will now instead report
a proper error to the client.
- type: change
title: Removal of backward support for versions predating 2.6.0
body: >-
The telepresence helm installer will no longer discover and convert workloads that were modified by versions
prior to 2.6.0. The traffic manager will and no longer support the muxed tunnels used in versions prior to
2.5.0.
- version: 2.17.0
date: "2023-11-14"
notes:
- type: feature
title: Additional Prometheus metrics to track intercept/connect activity
body: >-
This feature adds the following metrics to the Prometheus endpoint: <code>connect_count</code>,
<code>connect_active_status</code>, <code>intercept_count</code>, and <code>intercept_active_status</code.
These are labeled by client/install_id.
Additionally, the <code>intercept_count</code> metric has been renamed to <code>active_intercept_count</code>
for clarity.
- type: feature
title: Make the Telepresence client docker image configurable.
body: >-
The docker image used when running a Telepresence intercept in docker mode can now be configured using
the setting <code>images.clientImage</code> and will default first to the value of the environment <code>
TELEPRESENCE_CLIENT_IMAGE</code>, and then to the value preset by the telepresence binary. This
configuration setting is primarily intended for testing purposes.
- type: feature
title: Use traffic-agent port-forwards for outbound and intercepted traffic.
body: >-
The telepresence TUN-device is now capable of establishing direct port-forwards to a traffic-agent in the
connected namespace. That port-forward is then used for all outbound traffic to the device, and also for
all traffic that arrives from intercepted workloads. Getting rid of the extra hop via the traffic-manager
improves performance and reduces the load on the traffic-manager. The feature can only be used if the client
has Kubernetes port-forward permissions to the connected namespace. It can be disabled by setting <code>
cluster.agentPortForward</code> to <code>false</code> in <code>config.yml</code>.
- type: feature
title: Improve outbound traffic performance.
body: >-
The root-daemon now communicates directly with the traffic-manager instead of routing all outbound traffic
through the user-daemon. The root-daemon uses a patched kubeconfig where <code>exec</code> configurations to
obtain credentials are dispatched to the user-daemon. This to ensure that all authentication plugins will
execute in user-space. The old behavior of routing everything through the user-daemon can be restored by
setting <code>cluster.connectFromRootDaemon</code> to <code>false</code> in <code>config.yml</code>.
- type: feature
title: New networking CLI flag --allow-conflicting-subnets
body: >-
telepresence connect (and other commands that kick off a connect) now accepts an --allow-conflicting-subnets
CLI flag. This is equivalent to client.routing.allowConflictingSubnets in the helm chart, but can be specified
at connect time. It will be appended to any configuration pushed from the traffic manager.
- type: change
title: Warn if large version mismatch between traffic manager and client.
body: >-
Print a warning if the minor version diff between the client and the traffic manager is greater than three.
- type: change
title: The authenticator binary was removed from the docker image.
body: >-
The <code>authenticator</code> binary, used when serving proxied <code>exec</code> kubeconfig credential
retrieval, has been removed. The functionality was instead added as a subcommand to the <code>telepresence
</code> binary.
- version: 2.16.1
date: "2023-10-12"
notes:
- type: feature
title: Add --docker-debug flag to the telepresence intercept command.
body: >-
This flag is similar to <code>--docker-build</code> but will start the container with more relaxed security
using the <code>docker run</code> flags <code>--security-opt apparmor=unconfined --cap-add SYS_PTRACE</code>.
- type: feature
title: Add a --export option to the telepresence connect command.
body: >-
In some situations it is necessary to make some ports available to the
host from a containerized telepresence daemon. This commit adds a
repeatable <code>--expose <docker port exposure></code> flag to the connect
command.
- type: feature
title: Prevent agent-injector webhook from selecting from kube-xxx namespaces.
body: >-
The <code>kube-system</code> and <code>kube-node-lease</code> namespaces should not be affected by a
global agent-injector webhook by default. A default <code>namespaceSelector</code> was therefore added
to the Helm Chart <code>agentInjector.webhook</code> that contains a <code>NotIn</code> preventing those
namespaces from being selected.
- type: bugfix
title: Backward compatibility for pod template TLS annotations.
body: >-
Users of Telepresence < 2.9.0 that make use of the pod template TLS annotations were unable to upgrade because
the annotation names have changed (now prefixed by "telepresence."), and the environment expansion of the
annotation values was dropped. This fix restores support for the old names (while retaining the new ones) and
the environment expansion.
- type: security
title: Built with go 1.21.3
body: >-
Built Telepresence with go 1.21.3 to address CVEs.
- type: bugfix
title: Match service selector against pod template labels
body: >-
When listing intercepts (typically by calling <code>telepresence list</code>) selectors of services are matched
against workloads. Previously the match was made against the labels of the workload, but now they are matched
against the labels pod template of the workload. Since the service would actually be matched against pods this
is more correct. The most common case when this makes a difference is that statefulsets now are listed when they should.
- version: 2.16.0
date: "2023-10-02"
notes:
- type: bugfix
title: The helm sub-commands will no longer start the user daemon.
body: >-
The <code>telepresence helm install/upgrade/uninstall</code> commands will no longer start the telepresence
user daemon because there's no need to connect to the traffic-manager in order for them to execute.
- type: bugfix
title: Routing table race condition
body: >-
A race condition would sometimes occur when a Telepresence TUN device was deleted and another created in rapid
succession that caused the routing table to reference interfaces that no longer existed.
- type: bugfix
title: Stop lingering daemon container
body: >-
When using <code>telepresence connect --docker</code>, a lingering container could be present, causing errors
like "The container name NN is already in use by container XX ...". When this happens, the connect
logic will now give the container some time to stop and then call <code>docker stop NN</code> to stop it
before retrying to start it.
- type: bugfix
title: Add file locking to the Telepresence cache
body: >-
Files in the Telepresence cache are accesses by multiple processes. The processes will now use advisory
locks on the files to guarantee consistency.
- type: change
title: Lock connection to namespace
body: >-
The behavior changed so that a connected Telepresence client is bound to a namespace. The namespace can then
not be changed unless the client disconnects and reconnects. A connection is also given a name. The default
name is composed from <code><kube context name>-<namespace></code> but can be given explicitly
when connecting using <code>--name</code>. The connection can optionally be identified using the option
<code>--use <name match></code> (only needed when docker is used and more than one connection is active).
- type: change
title: Deprecation of global --context and --docker flags.
body: >-
The global flags <code>--context</code> and <code>--docker</code> will now be considered deprecated unless used
with commands that accept the full set of Kubernetes flags (e.g. <code>telepresence connect</code>).
- type: change
title: Deprecation of the --namespace flag for the intercept command.
body: >-
The <code>--namespace</code> flag is now deprecated for <code>telepresence intercept</code> command. The flag can instead
be used with all commands that accept the full set of Kubernetes flags (e.g. <code>telepresence connect</code>).
- type: change
title: Legacy code predating version 2.6.0 was removed.
body: >-
The telepresence code-base still contained a lot of code that would modify workloads instead of relying on
the mutating webhook installer when a traffic-manager version predating version 2.6.0 was discovered. This
code has now been removed.
- type: feature
title: Add `telepresence list-namespaces` and `telepresence list-contexts` commands
body: >-
These commands can be used to check accessible namespaces and for automation.
- type: change
title: Implicit connect warning
body: >-
A deprecation warning will be printed if a command other than <code>telepresence connect</code> causes an
implicit connect to happen. Implicit connects will be removed in a future release.
- version: 2.15.1
date: "2023-09-06"
notes:
- type: security
title: Rebuild with go 1.21.1
body: >-
Rebuild Telepresence with go 1.21.1 to address CVEs.
- type: security
title: Set security context for traffic agent
body: >-
Openshift users reported that the traffic agent injection was failing due to a missing security context.
- version: 2.15.0
date: "2023-08-29"
notes:
- type: security
title: Add ASLR to telepresence binaries
body: >-
ASLR hardens binary sercurity against fixed memory attacks.
- type: feature
title: Added client builds for arm64 architecture.
body: >-
Updated the release workflow files in github actions to including building and publishing the client binaries for arm64 architecture.
docs: https://github.com/telepresenceio/telepresence/issues/3259
- type: bugfix
title: KUBECONFIG env var can now be used with the docker mode.
body: >-
If provided, the KUBECONFIG environment variable was passed to the kubeauth-foreground service as a parameter.
However, since it didn't exist, the CLI was throwing an error when using <code>telepresence connect --docker</code>.
docs: https://github.com/telepresenceio/telepresence/pull/3300
- type: bugfix
title: Fix deadlock while watching workloads
body: >-
The <code>telepresence list --output json-stream</code> wasn't releasing the session's lock after being
stopped, including with a <code>telepresence quit</code>. The user could be blocked as a result.
docs: https://github.com/telepresenceio/telepresence/pull/3298
- type: bugfix
title: Change json output of telepresence list command
body: >-
Replace deprecated info in the JSON output of the telepresence list command.
- version: 2.14.4
date: "2023-08-21"
notes:
- type: bugfix
title: Nil pointer exception when upgrading the traffic-manager.
body: >-
Upgrading the traffic-manager using <code>telepresence helm upgrade</code> would sometimes
result in a helm error message <q>executing "telepresence/templates/intercept-env-configmap.yaml"
at <.Values.intercept.environment.excluded>: nil pointer evaluating interface {}.excluded"</q>
docs: https://github.com/telepresenceio/telepresence/issues/3313
- version: 2.14.2
date: "2023-07-26"
notes:
- type: bugfix
title: Telepresence now use the OSS agent in its latest version by default.
body: >-
The traffic manager admin was forced to set it manually during the chart installation.
docs: https://github.com/telepresenceio/telepresence/issues/3271
- version: 2.14.1
date: "2023-07-07"
notes:
- type: feature
title: Envoy's http idle timout is now configurable.
body: >-
A new <code>agent.helm.httpIdleTimeout</code> setting was added to the Helm chart that controls
the proprietary Traffic agent's http idle timeout. The default of one hour, which in some situations
would cause a lot of resource consuming and lingering connections, was changed to 70 seconds.
- type: feature
title: Add more gauges to the Traffic manager's Prometheus client.
body: >-
Several gauges were added to the Prometheus client to make it easier to monitor
what the Traffic manager spends resources on.
- type: feature
title: Agent Pull Policy
body: >-
Add option to set traffic agent pull policy in helm chart.
- type: bugfix
title: Resource leak in the Traffic manager.
body: >-
Fixes a resource leak in the Traffic manager caused by lingering tunnels between the clients and
Traffic agents. The tunnels are now closed correctly when terminated from the side that created them.
- type: bugfix
title: Fixed problem setting traffic manager namespace using the kubeconfig extension.
body: >-
Fixes a regression introduced in version 2.10.5, making it impossible to set the traffic-manager namespace
using the telepresence.io kubeconfig extension.
docs: https://www.getambassador.io/docs/telepresence/latest/reference/config#manager
- version: 2.14.0
date: "2023-06-12"
notes:
- type: feature
title: DNS configuration now supports excludes and mappings.
body: >-
The DNS configuration now supports two new fields, excludes and mappings. The excludes field allows you to
exclude a given list of hostnames from resolution, while the mappings field can be used to resolve a hostname with
another.
docs: https://github.com/telepresenceio/telepresence/pull/3172
- type: feature
title: Added the ability to exclude environment variables
body: >-
Added a new config map that can take an array of environment variables that will
then be excluded from an intercept that retrieves the environment of a pod.
- type: bugfix
title: Fixed traffic-agent backward incompatibility issue causing lack of remote mounts
body: >-
A traffic-agent of version 2.13.3 (or 1.13.15) would not propagate the directories under
<code>/var/run/secrets</code> when used with a traffic manager older than 2.13.3.
- type: bugfix
title: Fixed race condition causing segfaults on rare occasions when a tunnel stream timed out.
body: >-
A context cancellation could sometimes be trapped in a stream reader, causing it to incorrectly return
an undefined message which in turn caused the parent reader to panic on a <code>nil</code> pointer reference.
docs: https://github.com/telepresenceio/telepresence/pull/2963
- type: change
title: Routing conflict reporting.
body: >-
Telepresence will now attempt to detect and report routing conflicts with other running VPN software on client machines.
There is a new configuration flag that can be tweaked to allow certain CIDRs to be overridden by Telepresence.
- type: change
title: test-vpn command deprecated
body: >-
Running telepresence test-vpn will now print a deprecation warning and exit. The command will be removed in a future release.
Instead, please configure telepresence for your VPN's routes.
- version: 2.13.3
date: "2023-05-25"
notes:
- type: feature
title: Add imagePullSecrets to hooks
body: >-
Add .Values.hooks.curl.imagePullSecrets and .Values.hooks curl.imagePullSecrets to Helm values.
docs: https://github.com/telepresenceio/telepresence/pull/3079
- type: change
title: Change reinvocation policy to Never for the mutating webhook
body: >-
The default setting of the reinvocationPolicy for the mutating webhook dealing with agent injections changed from Never to IfNeeded.
- type: bugfix
title: Fix mounting fail of IAM roles for service accounts web identity token
body: >-
The eks.amazonaws.com/serviceaccount volume injected by EKS is now exported and remotely mounted during an intercept.
docs: https://github.com/telepresenceio/telepresence/issues/3166
- type: bugfix
title: Correct namespace selector for cluster versions with non-numeric characters
body: >-
The mutating webhook now correctly applies the namespace selector even if the cluster version contains non-numeric characters. For example, it can now handle versions such as Major:"1", Minor:"22+".
docs: https://github.com/telepresenceio/telepresence/pull/3184
- type: bugfix
title: Enable IPv6 on the telepresence docker network
body: >-
The "telepresence" Docker network will now propagate DNS AAAA queries to the Telepresence DNS resolver when it runs in a Docker container.
docs: https://github.com/telepresenceio/telepresence/issues/3179
- type: bugfix
title: Fix the crash when intercepting with --local-only and --docker-run
body: >-
Running telepresence intercept --local-only --docker-run no longer results in a panic.
docs: https://github.com/telepresenceio/telepresence/issues/3171
- type: bugfix
title: Fix incorrect error message with local-only mounts
body: >-
Running telepresence intercept --local-only --mount false no longer results in an incorrect error message saying "a local-only intercept cannot have mounts".
docs: https://github.com/telepresenceio/telepresence/issues/3171
- type: bugfix
title: specify port in hook urls
body: >-
The helm chart now correctly handles custom agentInjector.webhook.port that was not being set in hook URLs.
docs: https://github.com/telepresenceio/telepresence/pull/3161
- type: bugfix
title: Fix wrong default value for disableGlobal and agentArrival
body: >-
Params .intercept.disableGlobal and .timeouts.agentArrival are now correctly honored.