v2.157.0

This release extends inbound policies to cover the proxy's admin server.
To support this, policy initialization has been made lazy and the
proxy's default policy is used until a policy is obtained from the
control plane.

v2.156.0

This release improves error handling so that HTTP metrics include 5XX
responses for common errors.

Logging has also been improved to ensure `inbound` and `outbound` spans
are always present in log messages.

Outbound tap has been fixed to include route labels when service
profiles are configured.

v2.155.0

This release features some performance improvements: tokio has been
updated to pick up tokio-rs/tokio#4055, and link-time optimizations have
been enabled in release builds. These changes reduce CPU and memory
overhead in benchmarks.

Inbound policy enforcement has been updated so that TCP forwarding is
interrupted if a policy update revokes a previously-established
authorization. New metrics are exposed to reflect how policies are used
by the proxy: `inbound_http_authz_{allow,deny}_total` and
`inbound_tcp_authz_{allow,deny,terminate}_total`.

The proxy's error metrics, `{inbound,outbound}_{http,tcp}_errors_total`,
have been updated to include the traffic target. And the `traffic_addr`
metric label is augmented by `target_ip` and `target_port` labels to
support more flexible prometheus queries.

Inbound TCP metrics now only include a `srv_name` label, as it can't be
expected for all inbound connections to include authorization labels
(hence the new authz metrics). However, all inbound HTTP metrics--except
for the HTTP errors metric, which includes only a `srv_name`
label--include both `srv_name` and `saz_name` label.

Finally, the inbound and outbound proxies now only exports
Route-oriented metrics when a ServiceProfile is enabled, preventing
redundant metrics from being exported with no differentiating labels.

v2.154.0

This release improves policy handling for HTTP connections so that
requests are failed with a 403 Forbidden status (or a PERMISSION_DENIED
grpc-status, if appropriate).

Inbound metrics now include labels indicating the server and/or
authorization used to allow a connection or request to the proxy. Error
metrics now include an `unauthorized` error reason for traffic that is
denied by policy.

Finally, the outbound proxy no longer initializes mTLS or HTTP/2
upgrades when the target proxy is itself. This is done in preparation
for changes that will allow the proxy to stop forwarding connections on
`localhost` so that servers bound only on the loopback interface are not
exposed by Linkerd.

v2.153.0

This release adds support for dynamic inbound policies. The proxy now
discovers policies from Linkerd'2 policy-controller API for all
application ports documented in a pod spec. Rejected connections are
logged. Policies are not yet reflected in the proxy's metrics.

These policies also allow the proxy to skip protocol detection when a
server is explicitly annotated as HTTP/2 or when the server is
documented to be opaque or application-terminated TLS.

v2.152.0

v1.152.0

This release changes outbound behavior to tear down server-side
connections when the remote proxy returns responses indicating proxy
errors. This usually indicates the application or its proxy is not in a
good state, so the connection reset allows the application to connect to
a new endpoint.

Additionally, the proxy now does not process connection until identity
is established, setting up for policy discovery. While this changes
proxy behavior, this should not be a user-facing change, as containers
are blocked on the proxy's readiness.

Finally, the proxy hs been updated to support inbound server
authorization policies. These policies have a limited configuration via
the environment, but are not yet configurable via a controller API.

v2.151.0

This release includes only dependency updates an internal changes to
support upcoming policy features. No user-facing changes are expected.

v2.150.0

These release features a change to gateway proxies to support endpoint
targets. Previously, only logical services were supported as gateway
targets.

The proxy now sets an informational header, `l5d-proxy-error`, when the
proxy encounters an internal error. This allows proxy-generated error
responses to be distinguished from application-generated error
responses.

HTTP/2 keepalives are no longer configured by the proxy. This resolves
conflicts with some Go gRPC clients & servers (as described in
linkerd/linkerd2#5988).

Finally, the `*_tcp_accept_errors` metrics now include a `target_addr`
label. This improves diagnostics, especially for TLS detection timeouts.

v2.149.0

This release replaces the `request_errors_total` metric with new metrics:
`inbound_http_errors_total` and `outbound_http_errors_total`. This
release also introduces new metrics--`inbound_tcp_accept_errors_total`
and `outbound_tcp_accept_errors_total`--that count proxy errors
encountered before a protocol can be detected.

v2.148.0

This release updates a wide variety of the proxy's dependencies. No
user-facing changes are expected.