Bump proxy-init and CNI plugin versions (#12462)

A new release has been cut for both. The new release adds a new `GID`
feature that allows iptables to skip traffic originating from a process
running under the specified GID. The CNI plugin also includes a fix for
native sidecar containers.

* Bump proxy-init from `v2.3.0` to `v2.4.0`
* Bump CNI plugin from `v1.4.0` to `v1.5.0`

---------

Signed-off-by: Matei David <matei@buoyant.io>

charts/linkerd-control-plane/README.md

@@ -205,7 +205,7 @@ Kubernetes: `>=1.22.0-0`
 | policyController.image.version | string | linkerdVersion | Tag for the policy controller container image |
 | policyController.logLevel | string | `"info"` | Log level for the policy controller |
 | policyController.probeNetworks | list | `["0.0.0.0/0","::/0"]` | The networks from which probes are performed.  By default, all networks are allowed so that all probes are authorized. |
-| policyController.resources | object | destinationResources | policy controller resource requests & limits |
+| policyController.resources | object | `{"cpu":{"limit":"","request":""},"ephemeral-storage":{"limit":"","request":""},"memory":{"limit":"","request":""}}` | policy controller resource requests & limits |
 | policyController.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the policy controller can use |
 | policyController.resources.cpu.request | string | `""` | Amount of CPU units that the policy controller requests |
 | policyController.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the policy controller can use |
@@ -272,7 +272,7 @@ Kubernetes: `>=1.22.0-0`
 | proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) |
 | proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container |
 | proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container image |
-| proxyInit.image.version | string | `"v2.3.0"` | Tag for the proxy-init container image |
+| proxyInit.image.version | string | `"v2.4.0"` | Tag for the proxy-init container image |
 | proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used |
 | proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server |
 | proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init |

charts/linkerd-control-plane/values.yaml

@@ -268,7 +268,7 @@ proxyInit:
     # @default -- imagePullPolicy
     pullPolicy: ""
     # -- Tag for the proxy-init container image
-    version: v2.3.0
+    version: v2.4.0
   resources:
     cpu:
       # -- Maximum amount of CPU units that the proxy-init container can use

charts/linkerd2-cni/README.md

@@ -32,7 +32,7 @@ Kubernetes: `>=1.22.0-0`
 | ignoreOutboundPorts | string | `""` | Default set of outbound ports to skip via iptables |
 | image.name | string | `"cr.l5d.io/linkerd/cni-plugin"` | Docker image for the CNI plugin |
 | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linkerd-cni container |
-| image.version | string | `"v1.4.0"` | Tag for the CNI container Docker image |
+| image.version | string | `"v1.5.0"` | Tag for the CNI container Docker image |
 | imagePullSecrets | list | `[]` |  |
 | inboundProxyPort | int | `4143` | Inbound port for the proxy container |
 | iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing |

charts/linkerd2-cni/values.yaml

@@ -57,7 +57,7 @@ image:
   # -- Docker image for the CNI plugin
   name: "cr.l5d.io/linkerd/cni-plugin"
   # -- Tag for the CNI container Docker image
-  version: "v1.4.0"
+  version: "v1.5.0"
   # -- Pull policy for the linkerd-cni container
   pullPolicy: IfNotPresent
 

cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml

@@ -181,7 +181,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.3.0
+        image: cr.l5d.io/linkerd/proxy-init:v2.4.0
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:

cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml

@@ -181,7 +181,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.3.0
+        image: cr.l5d.io/linkerd/proxy-init:v2.4.0
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:
@@ -404,7 +404,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.3.0
+        image: cr.l5d.io/linkerd/proxy-init:v2.4.0
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:

cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml

@@ -181,7 +181,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.3.0
+        image: cr.l5d.io/linkerd/proxy-init:v2.4.0
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources: