Merge pull request #28040 from neal-timpe/ossmdoc-189

OSSMDOC-189

Author: neal-timpe

modules/ossm-cr-example.adoc

@@ -183,7 +183,7 @@ The following table lists the specifications for the `ServiceMeshControlPlane` r
 |Name |Description |Configurable parameters
 
 |addons
-|Addons is used to configure additional features beyond core control plane components, such as visualization, or metric storage.
+|Addon is used to configure additional features beyond core control plane components, such as visualization, or metric storage.
 |`3scale`, `grafana`, `jaeger`, `kiali`, and `prometheus`.
 
 |cluster
@@ -246,7 +246,7 @@ ControlPlaneStatus represents the current state of your service mesh.
 |Not configurable
 
 |conditions
-|Represents the latest available observations of the object’s current state. `Reconciled` indicates whether the operator has finished reconciling the actual state of deployed components with the the configuration in the `ServiceMeshControlPlane` resource. `Installed` indicates whether the control plane has been installed. `Ready` indicates whether all control plane components are ready
+|Represents the latest available observations of the object’s current state. `Reconciled` indicates whether the operator has finished reconciling the actual state of deployed components with the configuration in the `ServiceMeshControlPlane` resource. `Installed` indicates whether the control plane has been installed. `Ready` indicates whether all control plane components are ready
 |string
 
 |components

modules/ossm-document-attributes-1x.adoc

@@ -12,7 +12,7 @@
 :ProductName: Red Hat OpenShift Service Mesh
 :ProductShortName: Service Mesh
 :ProductRelease:
-:ProductVersion: 1.1.10
+:ProductVersion: 1.1.11
 :MaistraVersion: 1.1
 :product-build:
 :DownloadURL: registry.redhat.io

modules/ossm-document-attributes.adoc

@@ -12,7 +12,7 @@
 :ProductName: Red Hat OpenShift Service Mesh
 :ProductShortName: Service Mesh
 :ProductRelease:
-:ProductVersion: 2.0.0
+:ProductVersion: 2.0.1
 :MaistraVersion: 2.0
 :product-build:
 :DownloadURL: registry.redhat.io

modules/ossm-rn-fixed-issues.adoc

@@ -19,9 +19,21 @@ The following issues been resolved in the current release:
 [id="ossm-rn-fixed-issues-ossm_{context}"]
 == {ProductShortName} fixed issues
 
+* link:https://issues.redhat.com/browse/MAISTRA-2010[MAISTRA-2010] AuthorizationPolicy does not support `request.regex.headers` field. The `validatingwebhook` rejects any AuthorizationPolicy with the field, and even if you disable that, Pilot tries to validate it using the same code, and it does not work.
+
+* link:https://issues.jboss.org/browse/MAISTRA-1979[MAISTRA-1979] _Migration to 2.0_ The conversion webhook drops the following important fields when converting `SMCP.status` from v2 to v1:
+
+** conditions
+** components
+** observedGeneration
+** annotations
++
+Upgrading the operator to 2.0 might break client tools that read the SMCP status using the maistra.io/v1 version of the resource.
++
+This also causes the READY and STATUS columns to be empty when you run `oc get servicemeshcontrolplanes.v1.maistra.io`.
+
 * link:https://issues.redhat.com/browse/MAISTRA-1983[MAISTRA-1983] Upgrading to 2.0.0 with an existing invalid `ServiceMeshControlPlane` cannot easily be repaired. The invalid items in the `ServiceMeshControlPlane` resource caused an unrecoverable error. The fix makes the errors recoverable. You can delete the invalid resource and replace it with a new one or edit the resource to fix the errors. For more information about editing your resource, see [Configuring the Red Hat OpenShift Service Mesh installation].
 
 * link:https://issues.redhat.com/browse/MAISTRA-1502[Maistra-1502] As a result of CVEs fixes in version 1.0.10, the Istio dashboards are not available from the *Home Dashboard* menu in Grafana. The Istio dashboards still exist. To access them, click the *Dashboard* menu in the navigation panel and select the *Manage* tab.
 
 * link:https://bugzilla.redhat.com/show_bug.cgi?id=1821432[Bug 1821432] Toggle controls in {product-title} Control Resource details page do not update the CR correctly. UI Toggle controls in the Service Mesh Control Plane (SMCP) Overview page in the {product-title} web console sometimes update the wrong field in the resource. To update a SMCP, edit the YAML content directly or update the resource from the command line instead of clicking the toggle controls.
-

modules/ossm-rn-known-issues.adoc

@@ -26,8 +26,6 @@ These limitations exist in {ProductName}:
 
 These are the known issues in {ProductName}:
 
-* link:https://issues.redhat.com/browse/MAISTRA-2010[MAISTRA-2010] AuthorizationPolicy does not support `request.regex.headers` field. The `validatingwebhook` rejects any AuthorizationPolicy with the field, and even if you disable that, Pilot tries to validate it using the same code, and it does not work. The issue was fixed in 1.1, but not 2.0.
-
 * link:https://issues.jboss.org/browse/MAISTRA-1088[MAISTRA-1088]/link:https://issues.jboss.org/browse/MAISTRA-1621[MAISTRA-1621] 2.0 Migration Issues
 ** Gateways created in a non-control plane namespace will not be automatically deleted.  Users will need to manually delete these resources after removing the gateway definition from the SMCP spec.
 ** Prometheus scraping (`spec.addons.prometheus.scrape` set to `true`) does not work when mTLS is enabled.  Additionally, Kiali displays extraneous graph data when mTLS is disabled.
@@ -57,17 +55,6 @@ spec:
 
 * link:https://github.com/istio/istio/issues/14743[Istio-14743] Due to limitations in the version of Istio that this release of {ProductName} is based on, there are several applications that are currently incompatible with {ProductShortName}. See the linked community issue for details.
 
-* link:https://issues.jboss.org/browse/MAISTRA-1979[MAISTRA-1979] _Migration to 2.0_  The conversion webhook   drops the following important fields when converting SMCP.status from v2 to v1:
-
-** conditions
-** components
-** observedGeneration
-** annotations
-+
-This means that upgrading the operator to 2.0 might break client tools that read the SMCP status using the maistra.io/v1 version of the resource.
-+
-This also causes the READY and STATUS columns to be empty when you run `oc get servicemeshcontrolplanes.v1.maistra.io`.
-
 * link:https://issues.jboss.org/browse/MAISTRA-1947[MAISTRA-1947] _Technology Preview_  Updates to ServiceMeshExtensions are not applied.  The workaround is to remove and recreate the ServiceMeshExtensions.
 
 * link:https://issues.jboss.org/browse/MAISTRA-858[MAISTRA-858] The following Envoy log messages describing link:https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated[deprecated options and configurations associated with Istio 1.1.x] are expected:

modules/ossm-rn-new-features-1x.adoc

@@ -36,6 +36,10 @@ Result – If changed, describe the current user experience
 |1.0.0
 |===
 
+== New features {ProductName} 1.1.11
+
+This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
+
 == New features {ProductName} 1.1.10
 
 This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.

modules/ossm-rn-new-features.adoc

@@ -24,7 +24,7 @@ Result – If changed, describe the current user experience
 |Component |Version
 
 |Istio
-|1.6.5
+|1.6.14
 
 |Jaeger
 |1.20.0
@@ -36,6 +36,10 @@ Result – If changed, describe the current user experience
 |2.0.0
 |===
 
+== New features {ProductName} 2.0.1
+
+This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
+
 == New features {ProductName} 2.0
 
 This release of {ProductName} adds support for Istio 1.6.5, Jaeger 1.20.0, Kiali 1.24.2, and the 3scale Istio Adapter 2.0 and OpenShift Container Platform 4.6.

modules/ossm-vs-istio.adoc

@@ -39,6 +39,34 @@ The upstream Istio community installation automatically injects the sidecar into
 
 {ProductName} does not automatically inject the sidecar to any pods, but requires you to opt in to injection using an annotation without labeling projects. This method requires fewer privileges and does not conflict with other OpenShift capabilities such as builder pods. To enable automatic injection you specify the `sidecar.istio.io/inject` annotation as described in the Automatic sidecar injection section.
 
+[id="ossm-rbac_{context}"]
+== Istio Role Based Access Control features
+
+Istio Role Based Access Control (RBAC) provides a mechanism you can use to control access to a service. You can identify subjects by user name or by specifying a set of properties and apply access controls accordingly.
+
+The upstream Istio community installation includes options to perform exact header matches, match wildcards in headers, or check for a header containing a specific prefix or suffix.
+
+{ProductName} extends the ability to match request headers by using a regular expression. Specify a property key of `request.regex.headers` with a regular expression.
+
+.Upstream Istio community matching request headers example
+[source,yaml]
+----
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata: 
+  name: httpbin-usernamepolicy
+spec: 
+  action: ALLOW
+  rules: 
+    - when: 
+        - key: 'request.regex.headers[username]'
+          values: 
+            - "allowed.*"
+  selector: 
+    matchLabels: 
+      app: httpbin
+----
+
 [id="ossm-openssl_{context}"]
 == OpenSSL