Merge pull request #40433 from rh-tokeefe/OSSMDOC-451

JStickler · web-flow · commit afbde7977927 · 2022-01-13T13:10:01.000-05:00
OSSMDOC-451: Service Mesh 2.1.1 Release Notes
diff --git a/modules/ossm-config-disable-networkpolicy.adoc b/modules/ossm-config-disable-networkpolicy.adoc
@@ -0,0 +1,40 @@
+////
+This module included in the following assemblies:
+-v2x/servicemesh-release-notes.adoc
+////
+
+[id="ossm-config-disable-networkpolicy_{context}"]
+= Disabling network policies
+
+{ProductName} automatically creates and manages a number of `NetworkPolicies` resources in the control plane and application namespaces. This is to ensure that applications and the control plane can communicate with each other.
+
+If you want to disable the automatic creation and management of `NetworkPolicies` resources, for example to enforce company security policies, you can do so.  You can edit the `ServiceMeshControlPlane` to set the `spec.security.manageNetworkPolicy` setting to `false`
+
+[NOTE]
+====
+When you disable `spec.security.manageNetworkPolicy` {ProductName} will not create *any* `NetworkPolicy` objects.  The system administrator is responsible for managing the network and fixing any issues this might cause.
+====
+
+.Procedure
+
+. In the {product-title} web console, click *Operators* -> *Installed Operators*.
+
+. Select the project where you installed the control plane, for example `istio-system`, from the Project menu.
+
+. Click the {ProductName} Operator. In the *Istio Service Mesh Control Plane* column, click the name of your `ServiceMeshControlPlane`, for example `basic-install`.
+
+. On the *Create ServiceMeshControlPlane Details* page, click `YAML` to modify your configuration.
+
+. Set the `ServiceMeshControlPlane` field `spec.security.manageNetworkPolicy` to `false`, as shown in this example.
++
+[source,yaml]
+----
+apiVersion: maistra.io/v2
+kind: ServiceMeshControlPlane
+spec:
+  security:
+      trust:
+      manageNetworkPolicy: false
+----
++
+. Click *Save*.
diff --git a/modules/ossm-document-attributes.adoc b/modules/ossm-document-attributes.adoc
@@ -15,7 +15,7 @@
 :ProductName: Red Hat OpenShift Service Mesh
 :ProductShortName: Service Mesh
 :ProductRelease:
-:ProductVersion: 2.1
+:ProductVersion: 2.1.1
 :MaistraVersion: 2.0
 :product-build:
 
diff --git a/modules/ossm-rn-fixed-issues.adoc b/modules/ossm-rn-fixed-issues.adoc
@@ -19,6 +19,11 @@ The following issues been resolved in the current release:
 [id="ossm-rn-fixed-issues-ossm_{context}"]
 == {ProductShortName} fixed issues
 
+* link:https://issues.redhat.com/browse/OSSM-797[OSSM-797] Kiali Operator pod generates `CreateContainerConfigError` while installing or updating the operator.
+
+* https://issues.redhat.com/browse/OSSM-722[OSSM-722]
+Namespace starting with `kube` is hidden from Kiali.
+
 * link:https://issues.redhat.com/browse/OSSM-569[OSSM-569] There is no CPU memory limit for the Prometheus `istio-proxy` container. The Prometheus `istio-proxy` sidecar now uses the resource limits defined in `spec.proxy.runtime.container`.
 
 * link:https://issues.redhat.com/browse/OSSM-449[OSSM-449] VirtualService and Service causes an error "Only unique values for domains are permitted. Duplicate entry of domain."
@@ -33,6 +38,8 @@ The following issues been resolved in the current release:
 
 * link:https://issues.redhat.com/browse/OSSM-287[OSSM-287] In the Kiali console there are no traces being displayed on the Graph Service.
 
+* link:https://issues.jboss.org/browse/MAISTRA-2687[MAISTRA-2687] {ProductName} 2.1 federation gateway does not send the full certificate chain when using external certificates. The {ProductShortName} federation egress gateway only sends the client certificate. Because the federation ingress gateway only knows about the root certificate, it cannot verify the client certificate unless you add the root certificate to the federation import `ConfigMap`.
+
 * link:https://issues.redhat.com/browse/MAISTRA-2635[MAISTRA-2635] Replace deprecated Kubernetes API. To remain compatible with {product-title} 4.8, the `apiextensions.k8s.io/v1beta1` API was deprecated as of {ProductName} 2.0.8.
 
 * link:https://issues.redhat.com/browse/MAISTRA-2631[MAISTRA-2631] The WASM feature is not working because podman is failing due to nsenter binary not being present. {ProductName} generates the following error message: `Error: error configuring CNI network plugin exec: "nsenter": executable file not found in $PATH`. The container image now contains nsenter and WASM works as expected.
diff --git a/modules/ossm-rn-known-issues.adoc b/modules/ossm-rn-known-issues.adoc
@@ -32,39 +32,32 @@ These are the known issues in {ProductName}:
 
 * link:https://github.com/istio/istio/issues/14743[Istio-14743] Due to limitations in the version of Istio that this release of {ProductName} is based on, there are several applications that are currently incompatible with {ProductShortName}. See the linked community issue for details.
 
+* https://issues.redhat.com/browse/OSSM-882[OSSM-882] Namespace is in the accessible_namespace list but does not appear in Kiali UI. By default, Kiali will not show any namespaces that start with "kube" because these namespaces are typically internal-use only and not part of a mesh.
++
+For example, if you create a namespace called 'akube-a' and add it to the Service Mesh member roll, then the Kiali UI does not display the namespace. For defined exclusion patterns, the software excludes namespaces that start with or contain the pattern.
++
+The workaround is to change the Kiali Custom Resource setting so it prefixes the setting with a carat (^). For example:
+
+  api:
+    namespaces:
+      exclude:
+      - "^istio-operator"
+      - "^kube-.*"
+      - "^openshift.*"
+      - "^ibm.*"
+      - "^kiali-operator"
+
 * link:https://issues.redhat.com/browse/OSSM-285[OSSM-285] When trying to access the Kiali console, receive the following error message "Error trying to get OAuth Metadata". The workaround is to restart the Kiali pod.
 
-* link:https://issues.redhat.com/browse/MAISTRA-2692[MAISTRA-2692] With Mixer removed, custom metrics that have been defined in {ProductShortName} 2.0.x cannot be used in 2.1. Custom metrics can be configured using `EnvoyFilter`. Red Hat is unable to support `EnvoyFilter` configuration except where explicitly documented. This is due to tight coupling with the underlying Envoy APIs, meaning that backward compatibility cannot be maintained.
+* link:https://issues.redhat.com/browse/MAISTRA-2735[MAISTRA-2735] The resources that the Service Mesh Operator deletes when reconciling the SMCP have changed. Previously, the Operator deleted a resource with the following labels:
+
+** `maistra.io/owner`
+** `app.kubernetes.io/version`
 
-* link:https://issues.jboss.org/browse/MAISTRA-2687[MAISTRA-2687] {ProductName} 2.1 federation gateway does not send the full certificate chain when using external certificates. The {ProductShortName} federation egress gateway only sends the client certificate. Because the federation ingress gateway only knows about the root certificate, it cannot verify the client certificate unless you add the root certificate to the federation import `ConfigMap`.
-+
-. To provide both the root certificate and CA certificate when setting the federation import `ConfigMap`:
-+
-[source,yaml]
-----
-  apiVersion: v1
-  kind: ConfigMap
-  metadata:
-    name: mesh1-ca-root-cert
-    namespace: mesh2-system
-  data:
-    root-cert.pem: |-
-      {{MESH1_CERT}}
-----
-+
-. Assign the certificate values to the mesh variable:
-+
-[source,terminal]
-----
-$ MESH1_CERT=$(cat cacerts/root-cert.pem cacerts/ca-cert.pem | sed ':a;N;$!ba;s/\n/\\\n    /g')
-----
-+
-. Insert the certificate information into `ConfigMap` and apply the change:
 +
-[source,terminal]
-----
-$ sed "s:{{MESH1_CERT}}:$MESH1_CERT:g" import/configmap.yaml | oc apply -f -
-----
+Now, the Operator ignores resources that don't also include the `app.kubernetes.io/managed-by=maistra-istio-operator` label. If you create your own resources, you should not add the `app.kubernetes.io/managed-by=maistra-istio-operator` label to them.
+
+* link:https://issues.redhat.com/browse/MAISTRA-2692[MAISTRA-2692] With Mixer removed, custom metrics that have been defined in {ProductShortName} 2.0.x cannot be used in 2.1. Custom metrics can be configured using `EnvoyFilter`. Red Hat is unable to support `EnvoyFilter` configuration except where explicitly documented. This is due to tight coupling with the underlying Envoy APIs, meaning that backward compatibility cannot be maintained.
 
 * link:https://issues.redhat.com/browse/MAISTRA-2648[MAISTRA-2648] `ServiceMeshExtensions` are currently not compatible with meshes deployed on IBM Z Systems.
 
diff --git a/modules/ossm-rn-new-features.adoc b/modules/ossm-rn-new-features.adoc
@@ -24,7 +24,7 @@ Module included in the following assemblies:
 |Component |Version
 
 |Istio
-|1.9.8
+|1.9.9
 
 |Envoy Proxy
 |1.17.1
@@ -33,9 +33,51 @@ Module included in the following assemblies:
 |1.24.1
 
 |Kiali
-|1.36.5
+|1.36.7
 |===
 
+== New features {ProductName} 2.1.1
+
+This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
+
+This release also adds the ability to disable the automatic creation of network policies.
+
+[id="ossm-config-disable-networkpolicy_{context}"]
+=== Disabling network policies
+
+{ProductName} automatically creates and manages a number of `NetworkPolicies` resources in the control plane and application namespaces. This is to ensure that applications and the control plane can communicate with each other.
+
+If you want to disable the automatic creation and management of `NetworkPolicies` resources, for example to enforce company security policies, you can do so.  You can edit the `ServiceMeshControlPlane` to set the `spec.security.manageNetworkPolicy` setting to `false`
+
+[NOTE]
+====
+When you disable `spec.security.manageNetworkPolicy` {ProductName} will not create *any* `NetworkPolicy` objects.  The system administrator is responsible for managing the network and fixing any issues this might cause.
+====
+
+.Procedure
+
+. In the {product-title} web console, click *Operators* -> *Installed Operators*.
+
+. Select the project where you installed the control plane, for example `istio-system`, from the Project menu.
+
+. Click the {ProductName} Operator. In the *Istio Service Mesh Control Plane* column, click the name of your `ServiceMeshControlPlane`, for example `basic-install`.
+
+. On the *Create ServiceMeshControlPlane Details* page, click `YAML` to modify your configuration.
+
+. Set the `ServiceMeshControlPlane` field `spec.security.manageNetworkPolicy` to `false`, as shown in this example.
++
+[source,yaml]
+----
+apiVersion: maistra.io/v2
+kind: ServiceMeshControlPlane
+spec:
+  security:
+      trust:
+      manageNetworkPolicy: false
+----
++
+. Click *Save*.
+
 == New features and enhancements {ProductName} 2.1
 
 This release of {ProductName} adds support for Istio 1.9.8, Envoy Proxy 1.17.1, Jaeger 1.24.1, and Kiali 1.36.5 on {product-title} 4.6 EUS, 4.7, 4.8, and 4.9.
