OSSM-3252: Service Mesh 2.4 Release Notes

Fix review comments.

Apply suggestions from code review

Co-authored-by: Gabriel McGoldrick <[email protected]>

Fix review comments.

Author: Tim O'Keefe

_attributes/common-attributes.adoc

@@ -138,8 +138,8 @@ endif::[]
 :product-dedicated: Red Hat OpenShift Dedicated
 :SMProductName: Red Hat OpenShift Service Mesh
 :SMProductShortName: Service Mesh
-:SMProductVersion: 2.3.3
-:MaistraVersion: 2.3
+:SMProductVersion: 2.4
+:MaistraVersion: 2.4
 //Service Mesh v1
 :SMProductVersion1x: 1.1.18.2
 //Windows containers

modules/ossm-rn-deprecated-features.adoc

@@ -15,7 +15,26 @@ Deprecated functionality is still included in {product-title} and continues to b
 
 Removed functionality no longer exists in the product.
 
-== Deprecated and removed features {SMProductName} 2.3
+== Deprecated and removed features in {SMProductName} 2.4
+
+The v2.1 `ServiceMeshControlPlane` resource is no longer supported. Customers should upgrade their mesh deployments to use a later version of the `ServiceMeshControlPlane` resource.
+
+Support for Istio OpenShift Routing (IOR) is deprecated and will be removed in a future release.
+
+Support for Grafana is deprecated and will be removed in a future release. 
+
+Support for the following cipher suites, which were deprecated in {SMProductName} 2.3, has been removed from the default list of ciphers used in TLS negotiations on both the client and server sides. Applications that require access to services requiring one of these cipher suites will fail to connect when a TLS connection is initiated from the proxy.
+
+* ECDHE-ECDSA-AES128-SHA
+* ECDHE-RSA-AES128-SHA
+* AES128-GCM-SHA256
+* AES128-SHA
+* ECDHE-ECDSA-AES256-SHA
+* ECDHE-RSA-AES256-SHA
+* AES256-GCM-SHA384
+* AES256-SHA
+
+== Deprecated and removed features in {SMProductName} 2.3
 
 Support for the following cipher suites has been deprecated. In a future release, they will be removed from the default list of ciphers used in TLS negotiations on both the client and server sides.
 
@@ -30,21 +49,21 @@ Support for the following cipher suites has been deprecated. In a future release
 
 The `ServiceMeshExtension` API, which was deprecated in {SMProductName} version 2.2, was removed in {SMProductName} version 2.3. If you are using the `ServiceMeshExtension` API, you must migrate to the `WasmPlugin` API to continue using your WebAssembly extensions.
 
-== Deprecated features {SMProductName} 2.2
+== Deprecated features in {SMProductName} 2.2
 
 The `ServiceMeshExtension` API is deprecated as of release 2.2 and will be removed in a future release.  While `ServiceMeshExtension` API is still supported in release 2.2, customers should start moving to the new `WasmPlugin` API.
 
-== Removed features {SMProductName} 2.2
+== Removed features in {SMProductName} 2.2
 
 This release marks the end of support for {SMProductShortName} control planes based on Service Mesh 1.1 for all platforms.
 
-== Removed features {SMProductName} 2.1
+== Removed features in {SMProductName} 2.1
 
 In Service Mesh 2.1, the Mixer component is removed. Bug fixes and support is provided through the end of the Service Mesh 2.0 life cycle.
 
 Upgrading from a Service Mesh 2.0.x release to 2.1 will not proceed if Mixer plugins are enabled. Mixer plugins must be ported to WebAssembly Extensions.
 
-== Deprecated features {SMProductName} 2.0
+== Deprecated features in {SMProductName} 2.0
 
 The Mixer component was deprecated in release 2.0 and will be removed in release 2.1. While using Mixer for implementing extensions was still supported in release 2.0, extensions should have been migrated to the new link:https://istio.io/latest/blog/2020/wasm-announce/[WebAssembly] mechanism.
 

modules/ossm-rn-fixed-issues.adoc

@@ -19,10 +19,14 @@ The following issues been resolved in the current release:
 [id="ossm-rn-fixed-issues-ossm_{context}"]
 == {SMProductShortName} fixed issues
 
+* https://issues.redhat.com/browse/OSSM-3993[OSSM-3993] Previously, Kiali only supported OpenShift OAuth via a proxy on the standard HTTPS port of `443`. Now, Kiali supports OpenShift OAuth over a non-standard HTTPS port. To enable the port, you must set the `spec.server.web_port` field to the proxy's non-standard HTTPS port in the Kiali CR.
+
 * https://issues.redhat.com/browse/OSSM-3644[OSSM-3644] Previously, the federation egress-gateway received the wrong update of network gateway endpoints, causing extra endpoint entries. Now, the federation-egress gateway has been updated on the server side so it receives the correct network gateway endpoints.
 
 * https://issues.redhat.com/browse/OSSM-3595[OSSM-3595] Previously, the `istio-cni` plugin sometimes failed on {op-system-base} because SELinux did not allow the utility `iptables-restore` to open files in the `/tmp` directory. Now, SELinux passes `iptables-restore` via `stdin` input stream instead of via a file.
 
+* https://issues.redhat.com/browse/OSSM-3586[OSSM-3586] Previously, Istio proxies were slow to start when Google Cloud Platform (GCP) metadata servers were not available. When you upgrade to Istio 1.14.6, Istio proxies start as expected on GCP, even if metadata servers are not available.
+
 * https://issues.redhat.com/browse/OSSM-3025[OSSM-3025] Istiod sometimes fails to become ready. Sometimes, when a mesh contained many member namespaces, the Istiod pod did not become ready due to a deadlock within Istiod. The deadlock is now resolved and the pod now starts as expected.
 
 * https://issues.redhat.com/browse/OSSM-2493[OSSM-2493] Default `nodeSelector` and `tolerations` in SMCP not passed to Kiali. The `nodeSelector` and `tolerations` you add to `SMCP.spec.runtime.defaults` are now passed to the Kiali resource.
@@ -41,6 +45,19 @@ This is fixed by using the Kiali SA to fetch the cluster version. This also allo
 
 * https://issues.redhat.com/browse/OSSM-2335[OSSM-2335] Dragging the mouse pointer over the Traces scatterchart plot sometimes caused the Kiali console to stop responding due to concurrent backend requests.
 
+* https://issues.redhat.com/browse/OSSM-2221[OSSM-2221] Previously, gateway injection in the `ServiceMeshControlPlane` namespace was not possible because the `ignore-namespace` label was applied to the namespace by default. 
++
+When creating a v2.4 control plane, the namespace no longer has the `ignore-namespace` label applied, and gateway injection is possible.
++
+In the following example, the `oc label` command removes the `ignore-namespace` label from a namespace in an existing deployment:
++
+[source,terminal]
+----
+$ oc label namespace <istio_system> maistra.io/ignore-namespace-
+----
++
+In the example above, <istio_system> represents the name of the `ServiceMeshControlPlane` namespace.
+
 * https://issues.redhat.com/browse/OSSM-2053[OSSM-2053] Using {SMProductName} Operator 2.2 or 2.3, during SMCP reconciliation, the SMMR controller removed the member namespaces from `SMMR.status.configuredMembers`. This caused the services in the member namespaces to become unavailable for a few moments.
 +
 Using {SMProductName} Operator 2.2 or 2.3, the SMMR controller no longer removes the namespaces from `SMMR.status.configuredMembers`. Instead, the controller adds the namespaces to `SMMR.status.pendingMembers` to indicate that they are not up-to-date. During reconciliation, as each namespace synchronizes with the SMCP, the namespace is automatically removed from `SMMR.status.pendingMembers`.

modules/ossm-rn-known-issues.adoc

@@ -15,30 +15,47 @@ Module included in the following assemblies:
 
 These limitations exist in {SMProductName}:
 
-* {SMProductName} does not yet support link:https://issues.redhat.com/browse/MAISTRA-1314[IPv6], as it is not yet fully supported by the upstream Istio project.  As a result, {SMProductName} does not support dual-stack clusters.
+* {SMProductName} does not yet fully support link:https://issues.redhat.com/browse/MAISTRA-1314[IPv6]. As a result, {SMProductName} does not support dual-stack clusters.
 
 * Graph layout - The layout for the Kiali graph can render differently, depending on your application architecture and the data to display (number of graph nodes and their interactions). Because it is difficult if not impossible to create a single layout that renders nicely for every situation, Kiali offers a choice of several different layouts. To choose a different layout, you can choose a different *Layout Schema* from the *Graph Settings* menu.
 
 * The first time you access related services such as {JaegerShortName} and Grafana, from the Kiali console, you must accept the certificate and re-authenticate using your {product-title} login credentials. This happens due to an issue with how the framework displays embedded pages in the console.
 
 ifndef::openshift-rosa[]
-* The Bookinfo sample application cannot be installed on IBM Z and IBM Power.
+* The Bookinfo sample application cannot be installed on {ibmpowerProductName}, {ibmzProductName}, and {linuxoneProductName}.
 
-* WebAssembly extensions are not supported on IBM Z and IBM Power.
+* WebAssembly extensions are not supported on {ibmpowerProductName}, {ibmzProductName}, and {linuxoneProductName}.
 
-* LuaJIT is not supported on IBM Power.
+* LuaJIT is not supported on {ibmpowerProductName}, {ibmzProductName}, and {linuxoneProductName}.
 
+* Single stack IPv6 support is not available on {ibmpowerProductName}, {ibmzProductName}, and {linuxoneProductName}.
 endif::openshift-rosa[]
+
 [id="ossm-rn-known-issues-ossm_{context}"]
 == {SMProductShortName} known issues
 
 These are the known issues in {SMProductName}:
 
-* https://issues.redhat.com/browse/OSSM-2221[OSSM-2221] Gateway injection does not work in control plane namespace. If you use the Gateway injection feature to create a gateway in the same location as the control plane, the injection fails and OpenShift generates this message:
+* https://issues.redhat.com/browse/OSSM-3890[OSSM-3890] Attempting to use the Gateway API in a multitenant mesh deployment generates an error message similar to the following:
++
+[source,text]
+----
+2023-05-02T15:20:42.541034Z	error	watch error in cluster Kubernetes: failed to list *v1alpha2.TLSRoute: the server could not find the requested resource (get tlsroutes.gateway.networking.k8s.io)
+2023-05-02T15:20:42.616450Z	info	kube	controller "gateway.networking.k8s.io/v1alpha2/TCPRoute" is syncing...
+----
++
+To support Gateway API in a multitenant mesh deployment, all Gateway API Custom Resource Definition (CRD) files must be present in the cluster. 
 +
-`Warning  Failed          10s   kubelet, ocp-wide-vh8fd-worker-vhqm9  Failed to pull image "auto": rpc error: code = Unknown desc = reading manifest latest in docker.io/library/auto: errors`
+In a multitenant mesh deployment, CRD scan is disabled, and Istio has no way to discover which CRDs are present in a cluster. As a result, Istio attempts to watch all supported Gateway API CRDs, but generates errors if some of those CRDs are not present.
 +
-To create a gateway in the control plane namespace, use the `gateways` parameter in the SMCP spec to configure ingress and egress gateways for the mesh.
+{SMProductShortName} 2.3.1 and later versions support both `v1alpha2` and `v1beta1` CRDs. Therefore, both CRD versions must be present for a multitenant mesh deployment to support the Gateway API.
++
+Workaround: In the following example, the `kubectl get` operation installs the `v1alpha2` and `v1beta1` CRDs. Note the URL contains the additional `experimental` segment and updates any of your existing scripts accordingly:
++
+[source,terminal]
+----
+$ kubectl get crd gateways.gateway.networking.k8s.io ||   { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v0.5.1" | kubectl apply -f -; }
+----
 
 * https://issues.redhat.com/browse/OSSM-2042[OSSM-2042] Deployment of SMCP named `default` fails. If you are creating an SMCP object, and set its version field to v2.3, the name of the object cannot be `default`. If the name is `default`, then the control plane fails to deploy, and OpenShift generates a `Warning` event with the following message:
 +
@@ -115,7 +132,7 @@ endif::openshift-rosa[]
 * link:https://issues.redhat.com/browse/MAISTRA-2692[MAISTRA-2692] With Mixer removed, custom metrics that have been defined in {SMProductShortName} 2.0.x cannot be used in 2.1. Custom metrics can be configured using `EnvoyFilter`. Red Hat is unable to support `EnvoyFilter` configuration except where explicitly documented. This is due to tight coupling with the underlying Envoy APIs, meaning that backward compatibility cannot be maintained.
 ifndef::openshift-rosa[]
 
-* link:https://issues.redhat.com/browse/MAISTRA-2648[MAISTRA-2648] `ServiceMeshExtensions` are currently not compatible with meshes deployed on IBM Z Systems.
+* link:https://issues.redhat.com/browse/MAISTRA-2648[MAISTRA-2648] Service mesh extensions are currently not compatible with meshes deployed on {ibmzProductName}.
 endif::openshift-rosa[]
 
 * link:https://issues.jboss.org/browse/MAISTRA-1959[MAISTRA-1959] _Migration to 2.0_ Prometheus scraping (`spec.addons.prometheus.scrape` set to `true`) does not work when mTLS is enabled. Additionally, Kiali displays extraneous graph data when mTLS is disabled.
@@ -132,9 +149,6 @@ spec:
           excludedPorts:
           - 15020
 ----
-+
-//Keep MAISTRA-1314 in RN until IPv6 is actually supported
-* link:https://issues.redhat.com/browse/MAISTRA-1314[MAISTRA-1314] {SMProductName} does not yet support IPv6.
 
 * link:https://issues.jboss.org/browse/MAISTRA-453[MAISTRA-453] If you create a new project and deploy pods immediately, sidecar injection does not occur. The operator fails to add the `maistra.io/member-of` before the pods are created, therefore the pods must be deleted and recreated for sidecar injection to occur.