* Allowed the `MutatingWebhookConfig` timeout value to be configured ([#12028])
  (thanks @mikebell90)
* Added a counter for items dropped from destination controller workqueue
  ([#12079])
* Fixed a spurious `linkerd check` error when using container images with
  digests ([#12059])
* Fixed an issue where inbound policy could be incorrect after certain policy
  resources are deleted ([#12088])

[#12028]: #12028
[#12079]: #12079
[#12059]: #12059
[#12088]: #12088

Signed-off-by: Alex Leong <[email protected]>

…olicy (#12088)

In the inbound policy index, we maintain a policy index per namespace which holds various policy resources for that namespace.  When a per namespace index becomes empty, we remove it.  However, we were not considering authorization policy resources when determining if the index is empty.  This could result in the index being removed even while it contained authorization policy resources, as long as all other resource types did not exist.

This can lead to incorrect inbound policy responses when the per namespace index is recreated, since it will not longer contain the authorization policy.

We update the `is_empty()` function to properly consider authorization policies as well.  We also add some generally useful logging at debug and trace level.

Signed-off-by: Alex Leong <[email protected]>
Co-authored-by: Oliver Gould <[email protected]>

This stable release back-ports bugfixes and improvements from recent edge
releases.

* Introduced support for arbitrary labels in the `podMonitors` field in the
  control plane Helm chart (thanks @jseiser!) ([#11222]; fixes [#11175])
* Added a `prometheusUrl` field for the heartbeat job in the control plane Helm
  chart (thanks @david972!) ([#11343]; fixes [#11342])
* Updated the Destination controller to return `INVALID_ARGUMENT` status codes
  properly when a `ServiceProfile` is requested for a service that does not
  exist. ([#11980])
* Reduced the load on the Destination controller by only processing Server
  updates on workloads affected by the Server ([#12017])
* Changed how updates to a `Server` selector are handled in the destination
  service. When a `Server` that marks a port as opaque no longer selects a
  resource, the resource's opaqueness will reverted to default settings
  ([#12031]; fixes [#11995])
* Fixed a race condition in the destination service that could cause panics
  under very specific conditions ([#12022]; fixes [#12010])
* Fixed an issue where inbound policy could be incorrect after certain policy
  resources are deleted ([#12088])

[#11222]: #11222
[#11175]: #11175
[#11343]: #11343
[#11342]: #11342
[#11980]: #11980
[#12017]: #12017
[#11995]: #11995
[#12031]: #12031
[#12010]: #12010
[#12022]: #12022
[#12088]: #12088

Signed-off-by: Alex Leong <[email protected]>
Signed-off-by: David ALEXANDRE <[email protected]>
Signed-off-by: Justin S <[email protected]>
Co-authored-by: Oliver Gould <[email protected]>
Co-authored-by: Alejandro Pedraza <[email protected]>
Co-authored-by: David ALEXANDRE <[email protected]>
Co-authored-by: Justin Seiser <[email protected]>

PR #12088 fixed an issue where removing and then re-adding certain policy resources could leave the policy index in an incorrect state. We add a test for the specific condition that triggered this behavior to prevent against future regressions.

Verified that this test fails prior to #12088 but passes on main.

Signed-off-by: Alex Leong <[email protected]>

PR linkerd#12088 fixed an issue where removing and then re-adding certain policy resources could leave the policy index in an incorrect state. We add a test for the specific condition that triggered this behavior to prevent against future regressions.

Verified that this test fails prior to linkerd#12088 but passes on main.

Signed-off-by: Alex Leong <[email protected]>