You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Below find release notes for both major and minor release of AOSM.
13
+
This pages contains major and minor releas for Azure Operator Service Manager
14
14
15
-
## 7/31 Release
15
+
## Overview
16
16
17
-
TBD
17
+
The following release notes are presently generally available:
18
+
19
+
[Release Notes for Version 2.0.2763-119 7/31/24](https://github.com/msftadam/azure-docs-pr/edit/patch-2/articles/operator-service-manager/release-notes.md?pr=%2FMicrosoftDocs%2Fazure-docs-pr%2Fpull%2F284200#731-release)
20
+
21
+
## Release 2.0.2763-119 - 7/31
22
+
23
+
Azure Operator Service Manager Release Notes
24
+
7/31/2024 – Document Version 1.5
25
+
26
+
### Release Summary
27
+
Azure Operator Service Manager is a cloud orchestration service that enables automation of operator network-intensive workloads, and mission critical applications hosted on Azure Operator Nexus. Azure Operator Service Manager unifies infrastructure, software and configuration management with a common model into a single interface, both based on trusted Azure industry standards.
28
+
This 07-31-2024 Azure Operator Service Manager release includes updating the NFO version to 2.0.2763-119, the details of which are further outlined in the remainder of this document.
29
+
30
+
### Release Details
31
+
* Release Version: 2.0.2763-119
32
+
* Release Date: 07-31-2024
33
+
34
+
### Release Installation
35
+
**[BREAKING CHANGE INSTALLATION]** This is a major version release which includes a breaking change. To safely install this version, please follow the steps:
36
+
1. Delete all site network services and network functions from the custom location.
37
+
2. Uninstall the network function extension:
38
+
3. Delete custom location
39
+
4. _If Required:_ Update the CSN to whitelist the endpoint: "linuxgeneva-microsoft.azurecr.io" port 443. This step can be skipped if a wildcard is being used or if running Nexus 3.12 or later.
40
+
5. Install the network function extension
41
+
- For further reference, complete extension syntax in Appendix B.
42
+
6. Create custom location
43
+
7. Redeploy site network services and network functions to the custom location.
44
+
45
+
For more Azure Operator Service Manager documentation, please visit; <br> [Azure Operator Service Manager Documentation | Microsoft Learn](https://learn.microsoft.com/en-us/azure/operator-service-manager/)
46
+
47
+
### Release Attestation
48
+
This release has been produced in accordance with Microsoft’s Secure Development Lifecycle, including processes for authorizing software changes, antimalware scanning, and scanning and mitigating security bugs and vulnerabilities.”
49
+
50
+
### Release Highlights
51
+
#### Cluster Registry & Webhook – High Availability
52
+
Introduced in this release is an enhancement of the cluster registry and webhook service to support high availability operations. When enabled, this replaces the singleton pod, used in earlier releases, with a replica set and optionally allows for horizontal auto scaling. Other notable improvements include:
53
+
* Changing registry storage volume from "nexus-volume" to "nexus-shared"
54
+
* Implementing options to allow for the future deletion of the extension with minimal impact.
55
+
* Adds tracking references for cluster registry container images usage
56
+
57
+
The following new parameters are now available, and should be appropriately set, when creating the network function extension using the “az k8s-extension” command.
This configuration will provision the webhook pods with horizontal auto scaling.
77
+
Accepted values: true, false.
78
+
Default value: true.
79
+
80
+
#### Safe Upgrades – Downgrade to Lower Version
81
+
With this release a SNS re-put operation now supports downgrading a network function to a lower version. The downgrade re-put operation uses the “helm update” method and is not the same as a rollback operation. Downgrade operations support the same capabilities as upgrades, such as atomic parameter, test-option parameters and pause-on-failure behavior.
82
+
83
+
### Issues Resolved in This Release
84
+
85
+
#### Bugfix Related Updates
86
+
The following bugfixes, or other defect resolutions, have been delivered with this release.
87
+
88
+
* NFO - Fix for Out Of Memory(OOM) condition in artifact-controller pod when installing fed-smf with Cluster Registry.
89
+
* NFO - Prevent mutation of non-AOSM managed pods within "kube-system" namespace. AT&T can use the default value for the new parameter to selectively apply mutations to AOSM-managed pods. (see Appendix B)
90
+
* NFO - Improved logging, fixing situations where logs were being dropped
91
+
* NFO - Tuning of memory and CPU resources, to limit resource consumption.
92
+
93
+
#### Security Related Updates
94
+
Through Microsoft’s Secure Future Initiative | Microsoft, the Nexus product has introduced the following security focused enhancements in this release and will continue to do so in future releases.
95
+
96
+
* NFO - Signing of helm package used by network function extension.
97
+
* NFO - Signing of core image used by network function extension.
98
+
* NFO - Use of Cert-manager for service certificate management and rotation. This change can result in failed SNS deployments if not properly reconciled. For guidance on the impact of this change, see Appendix C.
99
+
* NFO - Automated refresh of AOSM certificates during extension installation.
100
+
* NFO - A dedicated service account for the pre-upgrade job to safeguard against modifications to the existing network function extension service account.
101
+
* RP - The service principles (SPs) used for deploying site & NF now require “Microsoft.ExtendedLocation/customLocations/read” permission. The SP's which deploy day N scenario now require "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action" permission. This change can result in failed SNS deployments if not properly reconciled
102
+
* CVE - The following CVE’s are addressed in this release: CVE-2019-25210, CVE-2024-2511, CVE-2023-42366, CVE-2024-4603, CVE-2023-42363
This configuration is an optional parameter. It comes into play when CNF is getting installed and as a part of its installation corresponding pods are spin up in the CNF's release namespace. This configuration configures more granular control on top of rules and namespaceSelectors defined in Pod Mutating Webhook Configuration.
The above matchCondition implies that the pods getting admitted in kube-system namespace will be mutated only if they have atleast one of the following labels:
176
+
app == "commissioning"
177
+
name == "cert-exporter"
178
+
app == "descheduler"
179
+
else they will not be mutated and continue to be pulled from the original.
180
+
Accepted value: Any valid CEL expressions
181
+
To learn more about matchConditions reference Kubernetes doc link.
182
+
183
+
This configuration parameter can be set or updated during NF Extension's installation or update.
184
+
Also, this condition comes into play only when the CNF/Component/Application is getting installed into the namespace as per the rules and namespaceSelectors defined in Pod Mutating Webhook Configuration. If there are more pods getting spin up in that namespace, this condition will still be applied to them.
This configuration will allow artifacts to be delivered to edge via hardware drive.
241
+
It is only used for Tempnet with AP5GC.
242
+
Accepted values: false, true.
243
+
Default value: false.
244
+
Recommended NFO config for AKS
245
+
The default NFO config is configured for HA on NAKS as none of the csi disk drives on AKS support ReadWriteX access mode, HA needs to be disabled on AKS.Use the following config options on AKS
With this release, AOSM now uses cert-manager to store and rotate certificates. As part of this change, AOSM deploys a cert-manager operator, and associate CRDs, in the azurehybridnetwork namespace. Since having multiple cert-manager operators, even deployed in separate namespaces, will watch across all namespaces, only one cert-manager can be effectively run on the cluster.
278
+
279
+
Any user trying to install cert-manager on the cluster, as part of a workload deployment, will get a deployment failure with an error that the CRD “exists and cannot be imported into the current release.” To avoid this error, the recommendation is to skip installing cert-manager, instead take dependency on cert-manager operator and CRD already installed by AOSM.
280
+
281
+
#### Other Configuration Changes to Consider
282
+
In addition to disabling the NfApp associated with the old user cert-manager, we have found other changes may be needed.
283
+
1. If any other NfApps have DependsOn references to the old user cert-manager NfApp, these will need to be removed.
284
+
2. If any other NfApps reference the old user cert-manager namespace value, this will need to be changed to the new azurehybridnetwork namespace value.
285
+
286
+
#### Cert-Manager Version Compatibility & Management
287
+
For the cert-manager operator, our current deployed version is 1.14.5. Users should test for compatibility with this version. Future cert-manager operator upgrades will be supported via the NFO extension upgrade process.
288
+
289
+
For the CRD resources, our current deployed version is 1.14.5. Users should test for compatibility with this version. Since management of a common cluster CRD is something typically handled by a cluster administrator, we are working to enable CRD resource upgrades via standard Nexus Add-on process.
0 commit comments