Merge branch 'main' into feat/ai-rsource-sizing-guide

Author: tomek-labuk

app/_data/products/mesh.yml

@@ -36,7 +36,7 @@ releases:
   - version: 2.7.19
     release: "2.7"
     releaseDate: "2024-04-19"
-    eol: "2026-04-19"
+    eol: "2026-10-19"
     branch: release-2.7
     lts: true
   - version: 2.8.8

app/_how-tos/synchronize-with-git.md

@@ -13,8 +13,6 @@ tags:
 - mock-servers
 - git
 
-tier: pro
-
 min_version:
   insomnia: '11.0'
 

app/assets/mesh/dev/raw/crds/kuma.io_workloads.yaml

@@ -0,0 +1,75 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.19.0
+  name: workloads.kuma.io
+spec:
+  group: kuma.io
+  names:
+    categories:
+    - kuma
+    kind: Workload
+    listKind: WorkloadList
+    plural: workloads
+    shortNames:
+    - wl
+    singular: workload
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec is the specification of the Kuma Workload resource.
+            type: object
+          status:
+            description: Status is the current status of the Kuma Workload resource.
+            properties:
+              dataplaneProxies:
+                description: DataplaneProxies defines statistics of data plane proxies
+                  that are part of this workload
+                properties:
+                  connected:
+                    description: Connected defines number of connected data plane
+                      proxies
+                    format: int32
+                    type: integer
+                  healthy:
+                    description: Healthy defines number of healthy data plane proxies
+                      for this workload
+                    format: int32
+                    type: integer
+                  total:
+                    description: Total defines total number of data plane proxies
+                      for this workload
+                    format: int32
+                    type: integer
+                required:
+                - connected
+                - healthy
+                - total
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true

app/assets/mesh/dev/raw/kuma-cp.yaml

@@ -421,6 +421,10 @@ runtime:
     # If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace.
     # The downside is that control plane requires permission to read Secrets in all namespaces.
     supportGatewaySecretsInAllNamespaces: false # ENV: KUMA_RUNTIME_KUBERNETES_SUPPORT_GATEWAY_SECRETS_IN_ALL_NAMESPACES
+    # WorkloadLabels is a prioritized list of pod labels to use for generating the kuma.io/workload label on DataplaneProxy.
+    # The first non-empty label value found will be used. If no labels match, falls back to ServiceAccount name.
+    # Default is empty list (uses ServiceAccount as workload identifier).
+    workloadLabels: [] # ENV: KUMA_RUNTIME_KUBERNETES_WORKLOAD_LABELS
   # Universal-specific configuration
   universal:
     # DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC
@@ -837,6 +841,7 @@ coreResources:
     - meshmultizoneservices
     - meshservices
     - meshtrusts
+    - workloads
 # IP address management configuration
 ipam:
   # MeshService address management

app/assets/mesh/dev/raw/rbac.yaml

@@ -125,6 +125,7 @@ rules:
       - meshmultizoneservices
       - meshservices
       - meshtrusts
+      - workloads
     verbs:
       - get
       - list

app/insomnia/mcp-clients-in-insomnia.md

@@ -43,7 +43,20 @@ faqs:
       The MCP Auth Flow uses your system’s default browser. Ensure that Insomnia can open URLs using your system browser. The MCP Auth Flow only supports browser-based OAuth.
   - q: Why is MCP Auth Flow not listed under OAuth 2.0?
     a: |
-      The MCP Server’s metadata may not include a valid authorization endpoint. Use a **Personal Access Token (PAT)** or **Basic Auth** instead.     
+      The MCP Server’s metadata may not include a valid authorization endpoint. Use a **Personal Access Token (PAT)** or **Basic Auth** instead.
+  - q: Can I re-test MCP authentication?
+    a: |
+      Yes. To re-start the **MCP Authentication Flow**, remove the existing token and reconnect:
+
+      1. Open the **Authentication** tab.
+      1. Disconnect from the server.
+      1. Delete the current access token value.
+      1. Reconnect or send a request to trigger the flow again.
+
+      Insomnia only restarts the MCP Authentication Flow when the server responds with `401 Unauthorized`.
+
+      > **Note:** You can't re-run individual MCP Auth calls. Only the full flow can be restarted manually.
+        
 ---
 Use Insomnia to connect external **Model Context Protocol (MCP)** Servers to access AI-ready tools, prompts, and resource. An **MCP Client** defines this connection and stores authentication and configuration details.
 
@@ -121,6 +134,9 @@ When you connect to an MCP Server that requires authentication, Insomnia follows
 3. If it’s not selected, Insomnia prompts you to switch to the discovered auth flow.  
    Confirm to proceed or cancel to remain on your current method.
 
+{:.info}
+> Not all MCP-compatible servers handle authentication the same way. Because this standard evolves quickly, some setups may need manual tweaks to work as expected. Insomnia shows you every request and response so you can check what succeeded or failed.
+
 If the authorization server does not support Dynamic Client Registration, you can:
 - Use a **Personal Access Token (PAT)**, for example GitHub Copilot MCP Server.  
 - Register your own **OAuth application**, then enter the Client ID and Secret in Insomnia.