kumactl 2.5.0

[BrewTestBot]

Created by brew bump

---

Created with brew bump-formula-pr.

release notes

We’re excited to announce the release of Kuma 2.5, a new minor release packed with exciting features such as advanced locality-aware load balancing, auto-reachable services, and targetRef based policies becoming GA.
Upgrading
We strongly suggest upgrading to Kuma 2.5.0. Upgrading is easy through kumactl or Helm.

Be sure to carefully read the Upgrade Guide before upgrading Kuma.
Notable features:

🚀 Advanced locality-aware load balancing inside and across zones helps you achieve cost savings and high reliability, even in the most constrained environments.
🚀 Reachable services can now be derived from MeshTrafficPermissions to get performance improvements for free.
🚀 Support for Gateway API v1 following Gateway APIs first GA release!
🚀 Delta KDS is now enabled by default. This greatly reduces the resource consumption of the Global CP / Zone CP protocol.
🚀 Many improvements to the GUI.
🚀 Upgrade to Envoy 1.28.

Read the blog post for details!
Changelog

chore(deps): bump actions/checkout from 3 to 4 #7639 @dependabot
chore(deps): bump actions/setup-node from 3 to 4 #8109 @dependabot
chore(deps): bump cirello.io/pglock from 1.14.0 to 1.14.1 #7914 @dependabot
chore(deps): bump debian from b91baba to 7d3e881 #7697 #7852 #8053 @dependabot
chore(deps): bump distroless/base-nossl-debian11 from 6579e1f to 1ae8df5 #7635 #7985 @dependabot
chore(deps): bump distroless/static-debian11 from 312a533 to cdb2034 #7636 #7987 @dependabot
chore(deps): bump envoy from 1.27.0 to 1.27.1 #8023 @lahabana
chore(deps): bump github.com/cilium/ebpf from 0.11.0 to 0.12.2 #8093 @dependabot
chore(deps): bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 #7712 @dependabot
chore(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible #8183 @dependabot
chore(deps): bump github.com/evanphx/json-patch/v5 from 5.6.0 to 5.7.0 #7786 @dependabot
chore(deps): bump github.com/exaring/otelpgx from 0.5.1 to 0.5.2 #7857 @dependabot
chore(deps): bump github.com/go-logr/logr from 1.2.4 to 1.3.0 #8184 @dependabot
chore(deps): bump github.com/google/uuid from 1.3.0 to 1.4.0 #7609 #8188 @dependabot
chore(deps): bump github.com/gruntwork-io/terratest from 0.43.13 to 0.46.1 #7792 #7993 #8090 @dependabot
chore(deps): bump github.com/miekg/dns from 1.1.55 to 1.1.56 #7785 @dependabot
chore(deps): bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.13.0 #7611 #7854 #7991 @dependabot
chore(deps): bump github.com/onsi/gomega from 1.27.10 to 1.29.0 #7917 #8094 #8185 @dependabot
chore(deps): bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 #7916 @dependabot
chore(deps): bump github.com/prometheus/client_model from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0 #7992 @dependabot
chore(deps): bump github.com/slok/go-http-metrics from 0.10.0 to 0.11.0 #8091 @dependabot
chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.17.0 #7989 @dependabot
chore(deps): bump github.com/testcontainers/testcontainers-go from 0.23.0 to 0.26.0 #7791 #7945 #8186 @dependabot
chore(deps): bump github.com/tonglil/opentelemetry-go-datadog-propagator from 0.1.0 to 0.1.1 #7641 @dependabot
chore(deps): bump go from 1.20.7 to 1.21.1 #7799 @lukidzi
chore(deps): bump go version to 1.21.3 #8001 @slonka
chore(deps): bump go.uber.org/zap from 1.25.0 to 1.26.0 #7789 @dependabot
chore(deps): bump golang.org/x/net from 0.14.0 to 0.16.0 #7699 #7988 @dependabot
chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #8034 @michaelbeaumont
chore(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0 #7642 @dependabot
chore(deps): bump golang.org/x/text from 0.12.0 to 0.13.0 #7640 @dependabot
chore(deps): bump golangci-lint from v1.53.3 to v1.54.1 #7837 @michaelbeaumont
chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.59.0 #7698 #7788 #7856 #8097 @dependabot
chore(deps): bump helm.sh/helm/v3 from 3.12.3 to 3.13.1 #7915 #8089 @dependabot
chore(deps): bump k8s.io/apiextensions-apiserver from v0.28.1 to v0.28.2 #7918 @michaelbeaumont
chore(deps): bump sigs.k8s.io/controller-runtime from 0.15.1 to 0.16.3 #7643 #7787 #8095 @dependabot
chore(deps): bump sigs.k8s.io/gateway-api from 0.8.0-rc1 to v1.0.0 #7644 #7781 #8150 @dependabot,@michaelbeaumont
chore(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 #8187 @dependabot
chore(deps): bump the go-opentelemetry-io group with 3 updates #7784 #7920 @dependabot
chore(deps): bump the go-opentelemetry-io group with 3 updates  #8347 @slonka
chore(deps): bump the go-opentelemetry-io-contrib group with 2 updates #7613 @dependabot
chore(deps): bump the go-opentelemetry-io-otel group with 2 updates #7607 @dependabot
chore(deps): bump the k8s-libs group with 3 updates #7606 #7790 #8088 @dependabot
chore(deps): bump tibdex/github-app-token from 1.8.0 to 2.1.0 #7638 #7731 #7853 @dependabot
chore(deps): bump ubuntu from ec050c3 to 2b7412e #7637 #7986 #8052 @dependabot
chore(deps): downgrade testcontainers-go from v0.24.0 to v0.23.0 #7800 @jakubdyszkiewicz
chore(deps): update gateway-api #8270 @michaelbeaumont
chore(deps): update go to 1.21.4 #8341 @slonka
chore(deps): upgrade envoy to 1.28.0 #8158 @lukidzi
chore(deps): upgrade github.com/gruntwork-io/terratest to v0.43.13 #7706 @lukidzi
chore(deps): use latest kumahq/kuma-gui #7603 #7604 #7605 #7612 #7614 #7617 #7619 #7620 #7622 #7626 #7627 #7628 #7629 #7631 #7646 #7647 #7648 #7650 #7653 #7658 #7659 #7689 #7700 #7710 #7713 #7721 #7727 #7729 #7730 #7732 #7733 #7738 #7739 #7749 #7750 #7754 #7755 #7766 #7777 #7779 #7795 #7797 #7798 #7802 #7804 #7806 #7811 #7812 #7822 #7866 #7867 #7899 #7900 #7902 #7935 #7953 #7966 #7973 #7979 #7980 #7983 #7984 #7996 #7998 #8009 #8010 #8041 #8045 #8048 #8049 #8057 #8059 #8061 #8074 #8080 #8083 #8085 #8104 #8115 #8118 #8120 #8126 #8145 #8146 #8147 #8201 #8207 #8210 #8213 #8214 #8215 #8217 #8219 #8220 #8221 #8232 #8236 #8238 #8239 @kumahq
feat(ExternalService): add skip hostname verification for external services #7633 @alparslanavci
feat(MeshLoadBalancingStrategy): new locality aware api #8082 #8112 @Automaat,@lukidzi
feat(MeshProxyPatch): allow policy to target MeshGateway resources #8044 @bartsmykla
feat(api-server): add /_overview for all types that have overviews #7999 #8173 @lahabana
feat(api-server): add filtering on list external-services and dataplanes #7810 @lahabana
feat(api-server): added query parameter to filter services by name #8154 @lukidzi
feat(api-server): implement new Global Insight endpoint #7775 #7872 @Automaat
feat(api-server): new inspect api #8148 @lahabana
feat(docs): add generated openapi docs #7975 @lahabana
feat(dp-token): allow validator to define keys not scoped to a mesh #8169 @nicoche
feat(events): configurable buffers and predicates #7735 @jakubdyszkiewicz
feat(gui): adds storeType index.html variable #7965 @johncowen
feat(helm): add configurable service port for cp ingress #8263 @lahabana
feat(helm): add loadBalancerSourceRanges on global zone sync service #7978 @slavogiez
feat(helm): add possibility to run universal zone cp on kubernetes #7924 @Automaat
feat(helm): add service-account features to egress and ingress #7864 @lahabana
feat(helm): add support for controlplane deployment annotations #7959 @slavogiez
feat(helm): allow to define service accounts annotations #7724 @lukidzi
feat(helm): allow to disable tls-checksum generation #7955 @lukidzi
feat(helm): minReadySeconds for control plane #7931 @jakubdyszkiewicz
feat(insights): jitter zone insights upsert #7925 @jakubdyszkiewicz
feat(insights): metrics of reason and result #7752 @jakubdyszkiewicz
feat(insights): multiple workers #7778 @jakubdyszkiewicz
feat(kds): add metrics to event based watchdog #7651 @jakubdyszkiewicz
feat(kds): add user-agent with useful version info #7886 @lahabana
feat(kds): allow to delay full resync when ticker #7782 @lukidzi
feat(kds): allow to disable KDS SOTW grpc api #7961 @lukidzi
feat(kds): better error handling #7868 @jakubdyszkiewicz
feat(kds): compact subscriptions in insights #7962 @jakubdyszkiewicz
feat(kds): enable delta by default #8262 @lahabana
feat(kds): execute filters on envoy admin streams #7905 @jakubdyszkiewicz
feat(kds): experimental event based watchdog #7624 @jakubdyszkiewicz
feat(kds): introduce zone health checks #7821 @michaelbeaumont
feat(kds): pass resource keys to resourceStore for delta kds #7654 @lukidzi
feat(kds): resource sync metric #7794 @jakubdyszkiewicz
feat(kds): response backoff #7997 @jakubdyszkiewicz
feat(kds): use hash-suffix for KDS sync #7519 @lobkovilya
feat(kuma-cp): add HealthCheck unary endpoint #7815 @michaelbeaumont
feat(kuma-cp): add basedOnKuma in cp_info metric #8218 @lahabana
feat(kuma-cp): add locality aware implementation for egress #8233 @Automaat
feat(kuma-cp): add support for Gateway in MeshLoadBalancingStrategy #8309 @Automaat
feat(kuma-cp): allow to disable backend validation #7901 @lukidzi
feat(kuma-cp): make OpenTelemetry control plane tracing fully configurable #7936 @michaelbeaumont
feat(kuma-cp): move KDS hash suffix under a feature flag #8363 @lobkovilya
feat(kuma-dp): support setting Envoy's --component-log-level #8241 @michaelbeaumont
feat(kumactl): support new inspect api #8192 @lahabana
feat(rsa): add support for PKIX encoded pubkeys #8179 @nicoche
feat(store): add owner reference to the secrets #7770 @slonka
feat(store): added postgres index for owner columns #7625 @lukidzi
feat(store): allow ResourceStore to be customized #7743 @bartsmykla
feat(store): conflict metrics #7753 @jakubdyszkiewicz
feat(store): consistent gets for read replica #7923 @jakubdyszkiewicz
feat(store): support postgres reader replica #7763 @jakubdyszkiewicz
feat(tenants): add extension points for sharding #7502 @jakubdyszkiewicz
feat(transparent-proxy): add --exclude-outbound-ports-for-uids #7588 @lahabana
feat(transparent-proxy): allow to wait for xtables lock and retry when installing tproxy fails #7870 @bartsmykla
feat(xds): auto reachable services based on MeshTrafficPermission #8125 @jakubdyszkiewicz
fix(MeshFaultInjection): include tags negation in header matching #8043 @bartsmykla
fix(MeshGateway): ensure that duplicate listeners are not added when crossMesh is enabled on a listener and Routes specify hostnames #8156 @ttreptow
fix(MeshTrafficPermission): support permissive mtls #8171 @jakubdyszkiewicz
fix(TrafficRoute): use default value when choiceCount is 0 #7938 @lukidzi
fix(api-server): 400 error on admin operations on not yet connected stream #8039 @slonka
fix(api-server): always remove empty array in inspect gw api #8209 @lahabana
fix(api-server): avoid panic when there no insight for entity #8068 @lahabana
fix(api-server): dataplane overview pagination #7803 @jakubdyszkiewicz
fix(api-server): empty list instead of null #7780 @jakubdyszkiewicz
fix(api-server): improve HandleError to handle rest_errors.Error and fix Unauthenticated error handling #7818 @bartsmykla
fix(api-server): improve error handling and return status #7937 @lahabana
fix(core): better lifecycle when context is getting cancelled #8268 @lahabana
fix(envoy): remove apple flag #8314 @lukidzi
fix(gatewayapi): don't set RefNotPermitted for GAMMA routes #7771 @michaelbeaumont
fix(gatewayapi): don't set listener ResolvedRefs based on routes ResolvedRefs #7809 @michaelbeaumont
fix(helm): do not run webhooks on kube-system #8157 @lahabana
fix(helm): make CNI configmap and serviceaccount support custom namespace #7956 @slavogiez
fix(helm): use bitnami/kubectl image for helm hooks #7656 @lahabana
fix(insights): have subscription gc also work for zoneEgress insights #7954 @lahabana
fix(insights): improve ZoneInsight subscription management #8153 @michaelbeaumont
fix(k8s): add namespace to deleteObjectIfExist in pod controller #8063 @slonka
fix(k8s): don't temporarily remove all AvailableServices on ZoneIngress Pod reconciliations #8301 @slonka
fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services #8168 @bartsmykla
fix(kds): call CloseSend and exit a goroutine when sync fails to start #7869 @lukidzi
fix(kds): delta delivery metric #7793 @jakubdyszkiewicz
fix(kds): don't inc KdsGenerationErrors when context canceled #7913 @michaelbeaumont
fix(kds): experimental watchdog concurrent map write #7630 @jakubdyszkiewicz
fix(kds): set error when KDS clients fails in goroutine #7725 @lukidzi
fix(kds): try returning unavailable on app context finish #8050 @slonka
fix(kds): use deprecated method in otel #8366 @slonka
fix(kuma-cni): support port exclusion for UIDs #8319 @lobkovilya
fix(kuma-cp): change affinityTag field in MeshLoadBalancingStrategy t… #8294 @Automaat
fix(kuma-cp): cleanup interval should be calculated based on "expirationTime" for hashCache #8065 @lobkovilya
fix(kuma-cp): don't add postStart hook to builtin gateway even if waitForDataplaneReady: true #7939 @lobkovilya
fix(kuma-cp): don't configure RBAC rules on Prometheus listener #8172 @lobkovilya
fix(kuma-cp): fix Zone{In|E}gress sync when no mesh #8129 @bartsmykla
fix(kuma-cp): meta validation compatible with Kubernetes naming rules #7976 @lobkovilya
fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes #7909 @lobkovilya
fix(kuma-cp): take proper context for resync #7805 @lukidzi
fix(kuma-cp): use GetConsistent store when validating default mesh resources #7949 @lukidzi
fix(kuma-cp): using policy name with "." causes hash to be inserted in the wrong place on the zone #8240 @lobkovilya
fix(kuma-dp): advise user to check pod events when data plane rejected by webhooks #8257 @jijiechen
fix(kuma-dp): fix build #8282 @Automaat
fix(kuma-dp): fix incorrect dataplane name due to mangled env vars #8199 @bartsmykla
fix(kumactl): add --mesh parameter to inspect <policy> #7696 @lahabana
fix(observability): add annotation to make observability while running CNI work #8330 @slonka
fix(policy): improve targetRef name and tags validation #7972 @alparslanavci
fix(store): fix passing logs to pglock #8040 @slonka
fix(store): use customizer for postgres ro pool #7769 @jakubdyszkiewicz
fix(transparent-proxy): fix --wait flags for iptables legacy #8364 @bartsmykla
fix(xds): backwards compatibility on access logs paths #7662 @jakubdyszkiewicz
fix(xds): use stable hashes for outbound cluster names #8081 @michaelbeaumont
perf(insights): fetch dp overviews once #7652 @jakubdyszkiewicz
perf(insights): fetch external services once #7796 @lukidzi
perf(insights): refresh only changed #7737 @jakubdyszkiewicz
perf(store): postgres transactions #7995 @jakubdyszkiewicz
perf(xds): put the Gatewaylisteners in the Proxy #8051 @lahabana

[github-actions]

🤖 An automated task has requested bottles to be published to this PR.