Announcing Linkerd 2.7: External PKI support, better gitops workflows, streamlined cert rotation, and more

William Morgan

William Morgan
February 10, 2020 • 3 min read

A picture of some old locks

We're happy to announce the release of Linkerd 2.7! This security-themed release adds support for integrating Linkerd's mutual TLS infrastructure with external certificate issuers such as Vault and cert-manager, improves gitops workflows by allowing Linkerd manifests to be generated without secrets, and makes it easy to automatically rotate TLS credentials. It also improves dashboard performance, improves usability of Helm charts, and much, much more.

This release includes changes from a massive list of contributors, including @alenkacz, @bmcstdio, @daxmc99, @droidnoob, @ereslibre, @javaducky, @joakimr-axis, @JohannesEH, @KIVagant, @mayankshah1607, @Pothulapati, and @StupidScience!

External PKI support, including Vault

Linkerd's new support for external PKI providers unlocks a ton of new capabilities for Linkerd. First, it means that it's possible to use projects such as Vault and cert-manager to provide the credentials that Linkerd uses to sign its TLS certificates. For gitops practitioners, it means that Linkerd manifests can now be generated without secrets and thus can be safely checked in to version control—a popular request!

Finally, it means that, regardless of where they originate, it's now easy to automatically rotate Linkerd's mTLS credentials, a process that was until now was manual. (Note that data plane proxy TLS certificates have always been automatically rotated.)

This new set of capabilities is already generating excitement in the community:

Improved dashboard

Linkerd 2.7 continues our theme of improving Linkerd's dashboard. First, the dashboard now displays CronJob and ReplicaSet resources, and ships with pre-configured Grafana dashboards for them. We've added tap headers (a feature introduced in 2.6) to the dashboard, protected against DNS rebinding attacks, and fixed many other smaller issues.

Snazzy dashboard with tap headers

And lots more

Linkerd 2.7 brings some big improvements to Linkerd's Helm charts (though with some breaking changes): we've split the CNI template into a separate chart, fixed several issues, and generally updated the chart to follow community best practices. Linkerd 2.7 also has a tremendous list of other improvements, performance enhancements, and bug fixes, including:

  • Support for headless services.
  • A new --wait-before-exit-seconds flag to delay proxy shutdown.
  • Improved error classification for gRPC services.
  • Many additions to linkerd check, including CNI plugin status, and TLS cert validation.
  • Lots more!

See the full release notes for details.

Find us at KubeCon EU

We want to meet you! Next month many of the Linkerd maintainers and contributors will be converging on Kubecon EU in Amsterdam. William, Oliver, and Tarun will be delivering Linkerd introductory and deep-dive talks, and we'll have Linkerd talks by engineers at Finleap Universidad San Carlos de Guatemala, Buoyant, and more. If you're attending, please swing by the #kccnceu20 channel in the Linkerd Slack and find us at the Linkerd booth in the expo hall.

Try it today!

Ready to try Linkerd? Those of you who have been tracking the 2.x branch via our weekly edge releases will already have seen these features in action. Either way, you can download the stable 2.7 release by running:

curl https://run.linkerd.io/install | sh

Using Helm? See our guide to installing Linkerd with Helm. Upgrading from a previous release? We've got you covered: see our Linkerd upgrade guide for how to use the linkerd upgrade command.

Linkerd is for everyone

Linkerd is a community project and is hosted by the Cloud Native Computing Foundation. Linkerd is committed to open governance. If you have feature requests, questions, or comments, we'd love to have you join our rapidly-growing community! Linkerd is hosted on GitHub, and we have a thriving community on Slack, Twitter, and the mailing lists. Come and join the fun!

Image credit: unsplash-logoGeorgia de Lotz

Have you adopted Linkerd? Let us know and we’ll send you some sweet swag!