Merge pull request #38320 from openshift-cherrypick-robot/cherry-pick…

…-36858-to-enterprise-4.10

[enterprise-4.10] OSSMDOC-214 Release Notes for Service Mesh 2.1

modules/ossm-document-attributes.adoc

@@ -13,7 +13,7 @@
 :product-dedicated: Red Hat OpenShift Dedicated
 :ProductShortName: Service Mesh
 :ProductRelease:
-:ProductVersion: 2.0.8
+:ProductVersion: 2.1
 :MaistraVersion: 2.0
 :product-build:
 :DownloadURL: registry.redhat.io

modules/ossm-rn-deprecated-features.adoc

@@ -8,11 +8,21 @@ Module included in the following assemblies:
 Description - Description of the any features (including technology previews) that have been removed from the product. Write the description from a customer perspective, what UI elements, commands, or options are no longer available.
 Consequence or a recommended replacement - Description of what the customer can no longer do, and recommended replacement (if known).
 ////
-= Deprecated features
+= Deprecated and removed features
 Some features available in previous releases have been deprecated or removed.
 
 Deprecated functionality is still included in {product-title} and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments.
 
+Removed functionality no longer exists in the product.
+
+== Removed features {ProductName} 2.1
+
+In Service Mesh 2.1, the Mixer component is removed. Bug fixes and support is provided through the end of the Service Mesh 2.0 life cycle.
+
+Upgrading from a Service Mesh 2.0.x release to 2.1 will not proceed if Mixer plugins are enabled. Mixer plugins must be ported to WebAssembly Extensions.
+
+With Mixer removed, custom metrics for telemetry must be obtained using Envoy filter.
+
 == Deprecated features {ProductName} 2.0
 
 The Mixer component was deprecated in release 2.0 and will be removed in release 2.1. While using Mixer for implementing extensions was still supported in release 2.0, extensions should have been migrated to the new link:https://istio.io/latest/blog/2020/wasm-announce/[WebAssembly] mechanism.

modules/ossm-rn-fixed-issues.adoc

@@ -41,18 +41,22 @@ The following issues been resolved in the current release:
 
 * link:https://issues.redhat.com/browse/MAISTRA-2401[MAISTRA-2401] CVE-2021-3586 servicemesh-operator: NetworkPolicy resources incorrectly specified ports for ingress resources. The NetworkPolicy resources installed for {Productname} did not properly specify which ports could be accessed. This allowed access to all ports on these resources from any pod. Network policies applied to the following resources are affected:
 
-* Galley
-* Grafana
-* Istiod
-* Jaeger
-* Kiali
-* Prometheus
-* Sidecar injector
+** Galley
+** Grafana
+** Istiod
+** Jaeger
+** Kiali
+** Prometheus
+** Sidecar injector
 
 * link:https://issues.redhat.com/browse/MAISTRA-2378[MAISTRA-2378] When the cluster is configured to use OpenShift SDN with `ovs-multitenant` and the mesh contains a large number of namespaces (200+), the {product-title} networking plugin is unable to configure the namespaces quickly. {ProductShortName} times out causing namespaces to be continuously dropped from the service mesh and then reenlisted.
 
 * link:https://issues.redhat.com/browse/MAISTRA-2370[MAISTRA-2370] Handle tombstones in listerInformer. The updated cache codebase was not handling tombstones when translating the events from the namespace caches to the aggregated cache, leading to a panic in the go routine.
 
+* link:https://issues.redhat.com/browse/MAISTRA-2117[MAISTRA-2117] Add optional `ConfigMap` mount to operator. The CSV now contains an optional `ConfigMap` volume mount, which mounts the `smcp-templates` `ConfigMap` if it exists. If the `smcp-templates` `ConfigMap` does not exist, the mounted directory is empty. When you create the `ConfigMap`, the directory is populated with the entries from the `ConfigMap` and can be referenced in `SMCP.spec.profiles`. No restart of the Service Mesh operator is required.
++
+Customers using the 2.0 operator with a modified CSV to mount the smcp-templates ConfigMap can upgrade to {ProductName} 2.1. After upgrading, you can continue using an existing ConfigMap, and the profiles it contains, without editing the CSV. Customers that previously used ConfigMap with a different name will either have to rename the ConfigMap or update the CSV after upgrading.
+
 * link:https://issues.redhat.com/browse/MAISTRA-2010[MAISTRA-2010] AuthorizationPolicy does not support `request.regex.headers` field. The `validatingwebhook` rejects any AuthorizationPolicy with the field, and even if you disable that, Pilot tries to validate it using the same code, and it does not work.
 
 * link:https://issues.jboss.org/browse/MAISTRA-1979[MAISTRA-1979] _Migration to 2.0_ The conversion webhook drops the following important fields when converting `SMCP.status` from v2 to v1:

modules/ossm-rn-known-issues.adoc

@@ -23,7 +23,7 @@ These limitations exist in {ProductName}:
 
 * The Bookinfo sample application cannot be installed on IBM Z and IBM Power Systems.
 
-* WebAssembly is unsupported on IBM Z and IBM Power Systems.
+* WebAssembly is unsupported on IBM Z.
 
 [id="ossm-rn-known-issues-ossm_{context}"]
 == {ProductShortName} known issues
@@ -34,6 +34,40 @@ These are the known issues in {ProductName}:
 
 * link:https://issues.redhat.com/browse/OSSM-285[OSSM-285] When trying to access the Kiali console, receive the following error message "Error trying to get OAuth Metadata". The workaround is to restart the Kiali pod.
 
+* link:https://issues.redhat.com/browse/MAISTRA-2692[MAISTRA-2692] With Mixer removed, custom metrics that have been defined in {ProductShortName} 2.0.x cannot be used in 2.1. Custom metrics can be configured using `EnvoyFilter`. Red Hat is unable to support `EnvoyFilter` configuration except where explicitly documented. This is due to tight coupling with the underlying Envoy APIs, meaning that backward compatibility cannot be maintained.
+
+* link:https://issues.jboss.org/browse/MAISTRA-2687[MAISTRA-2687] {ProductName} 2.1 federation gateway does not send the full certificate chain when using external certificates. The {ProductShortName} federation egress gateway only sends the client certificate. Because the federation ingress gateway only knows about the root certificate, it cannot verify the client certificate unless you add the root certificate to the federation import `ConfigMap`.
++
+. To provide both the root certificate and CA certificate when setting the federation import `ConfigMap`:
++
+[source,yaml]
+----
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: mesh1-ca-root-cert
+    namespace: mesh2-system
+  data:
+    root-cert.pem: |-
+      {{MESH1_CERT}}
+----
++
+. Assign the certificate values to the mesh variable:
++
+[source,terminal]
+----
+$ MESH1_CERT=$(cat cacerts/root-cert.pem cacerts/ca-cert.pem | sed ':a;N;$!ba;s/\n/\\\n    /g')
+----
++
+. Insert the certificate information into `ConfigMap` and apply the change:
++
+[source,terminal]
+----
+$ sed "s:{{MESH1_CERT}}:$MESH1_CERT:g" import/configmap.yaml | oc apply -f -
+----
+
+* link:https://issues.redhat.com/browse/MAISTRA-2648[MAISTRA-2648] `ServiceMeshExtensions` are currently not compatible with meshes deployed on IBM Z Systems.
+
 * link:https://issues.jboss.org/browse/MAISTRA-2411[MAISTRA-2411] When the Operator creates a new ingress gateway using `spec.gateways.additionaIngress` in the `ServiceMeshControlPlane`, Operator is not creating a `NetworkPolicy` for the additional ingress gateway like it does for the default istio-ingressgateway. This is causing a 503 response from the route of the new gateway. The workaround for this issue is to manually create the `NetworkPolicy` in the <istio-system> namespace.
 
 * link:https://issues.jboss.org/browse/MAISTRA-1959[MAISTRA-1959] _Migration to 2.0_ Prometheus scraping (`spec.addons.prometheus.scrape` set to `true`) does not work when mTLS is enabled. Additionally, Kiali displays extraneous graph data when mTLS is disabled.

modules/ossm-rn-new-features.adoc

@@ -4,7 +4,7 @@ Module included in the following assemblies:
 ////
 
 [id="ossm-rn-new-features_{context}"]
-= New features
+= Core features
 
 ////
 *Feature* – Describe the new functionality available to the customer. For enhancements, try to describe as specifically as possible where the customer will see changes.
@@ -24,18 +24,85 @@ Module included in the following assemblies:
 |Component |Version
 
 |Istio
-|1.6.14
+|1.9.6
+
+|Envoy Proxy
+|1.17.1
 
 |Jaeger
 |1.24.1
 
 |Kiali
-|1.24.10-1
-
-|3scale Istio Adapter
-|2.0.0
+|1.36.5
 |===
 
+== New features and enhancements {ProductName} 2.1
+
+This release of {ProductName} adds support for Istio 1.9.6, Envoy Proxy 1.17.1, Jaeger 1.24.1, and Kiali 1.36.5 on {product-title} 4.6 EUS, 4.7, 4.8, and 4.9.
+
+In addition, this release has the following new features and enhancements:
+
+=== Service Mesh Federation
+
+New Custom Resource Definitions (CRDs) have been added to support federating service meshes. Service meshes may be federated both within the same cluster or across different OpenShift clusters. These new resources include:
+
+* `ServiceMeshPeer` - Defines a federation with a separate service mesh, including gateway configuration, root trust certificate configuration, and status fields. In a pair of federated meshes, each mesh will define its own separate `ServiceMeshPeer` resource.
+
+* `ExportedServiceMeshSet` - Defines which services for a given `ServiceMeshPeer` are available for the peer mesh to import.
+
+* `ImportedServiceSet` - Defines which services for a given `ServiceMeshPeer` are imported from the peer mesh. These services must also be made available by the peer’s `ExportedServiceMeshSet` resource.
+
+Service Mesh Federation is not supported between clusters on Red Hat OpenShift Service on AWS (ROSA), Azure Red Hat OpenShift (ARO), or OpenShift Dedicated (OSD).
+
+=== OVN-Kubernetes Container Network Interface (CNI) generally available
+
+The OVN-Kubernetes Container Network Interface (CNI) was previously introduced as a Technology Preview feature in {ProductName} 2.0.1 and is now generally available in {ProductName} 2.1 and 2.0.x for use on {product-title} 4.7.32, {product-title} 4.8.12, and {product-title} 4.9.
+
+=== Service Mesh WebAssembly (WASM) Extensions
+
+The `ServiceMeshExtensions` Custom Resource Definition (CRD), first introduced in 2.0 as Technology Preview, is now generally available. You can use CRD to build your own plugins, but Red Hat does not provide support for the plugins you create.
+
+Mixer has been completely removed in Service Mesh 2.1. Upgrading from a Service Mesh 2.0.x release to 2.1 will be blocked if Mixer is enabled. Mixer plugins will need to be ported to WebAssembly Extensions.
+
+=== 3scale WebAssembly Adapter (WASM)
+
+With Mixer now officially removed, OpenShift Service Mesh 2.1 does not support the 3scale mixer adapter. Before upgrading to Service Mesh 2.1, remove the Mixer-based 3scale adapter and any additional Mixer plugins. Then, manually install and configure the new 3scale WebAssembly adapter with Service Mesh 2.1+ using a `ServiceMeshExtension` resource.
+
+3scale 2.11 introduces an updated Service Mesh integration based on  `WebAssembly`.
+
+=== Istio 1.9 Support
+
+{ProductShortName} 2.1 is based on Istio 1.9, which brings in a large number of new features and product enhancements. While the majority of Istio 1.9 features are supported, the following exceptions should be noted:
+
+* Virtual Machine integration is not yet supported
+* Kubernetes Gateway API is not yet supported
+* Remote fetch and load of WebAssembly HTTP filters are not yet supported
+* Smart DNS Proxying is not yet supported
+* Custom CA Integration using the Kubernetes CSR API is not yet supported
+* Request Classification for monitoring traffic is a tech preview feature
+* Integration with external authorization systems via Authorization policy’s CUSTOM action is a tech preview feature
+
+=== Improved Service Mesh operator performance
+
+The amount of time {ProductName} uses to prune old resources at the end of every `ServiceMeshControlPlane` reconciliation has been reduced. This results in faster `ServiceMeshControlPlane` deployments, and allows changes applied to existing SMCPs to take effect more quickly.
+
+
+=== Kiali updates
+
+Kiali 1.36 includes the following features and enhancements:
+
+* {ProductShortName} service mesh troubleshooting functionality
+** Control plane and gateway monitoring
+** Proxy sync statuses
+** Envoy configuration views
+** Unified view showing Envoy proxy and application logs interleaved
+* Namespace and cluster boxing to support federated service mesh views
+* New validations, wizards, and distributed tracing enhancements
+
+== New features {ProductName} 2.0.8
+
+This release of {ProductName} addresses bug fixes.
+
 == New features {ProductName} 2.0.7.1
 
 This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs).

modules/ossm-rn-technology-preview.adoc

@@ -6,26 +6,29 @@ Module included in the following assemblies:
 [id="ossm-rn-tech-preview_{context}"]
 = Technology Preview
 
+Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.
+
 [IMPORTANT]
 ====
 Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production.
 These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see the link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview Support Scope].
 ====
 
-== OVN-Kubernetes technology preview
-
-{ProductName} 2.0.1 introduces technology preview support for the OVN-Kubernetes network type on {product-title} 4.6 and 4.7.
+[id="istio-compatibility-support-matrix_{context}"]
+== Istio compatibility and support matrix
 
-== WebAssembly technology preview
+In the table, features are marked with the following statuses:
 
-{ProductName} 2.0.0 introduces support for WebAssembly extensions to Envoy Proxy.
+- *TP*: _Technology Preview_
 
-Up through release 1.5, Istio implemented extensions using the Mixer Telemetry and Policy components. In
-link:https://istio.io/latest/news/releases/1.5.x/announcing-1.5/upgrade-notes/#mixer-deprecation[Istio 1.5] Mixer was deprecated and link:https://istio.io/latest/news/releases/1.5.x/announcing-1.5/upgrade-notes/#mixer-deprecation[WebAssembly was introduced] as the new mechanism for extensions in Istio. Envoy now allows extensions using WebAssembly (“WASM”) - a format for executing code written in multiple programming languages. Mixer has been deprecated as of Istio 1.5, and will be removed in 1.8. Going forward, extensions to Istio will be implemented with Envoy plugins written with WebAssembly.
+- *GA*: _General Availability_
 
-The new Telemetry architecture is based on these WebAssembly extensions. For {ProductShortName} 2.0, we are introducing WebAssembly extensions as a Tech Preview feature. WebAssembly extensions is the new way of extending Istio functionality, replacing the Mixer component, which has been deprecated and will eventually be removed.
+Note the following scope of support on the Red Hat Customer Portal for these features:
 
-[NOTE]
-====
-Note that built-in Istio WASM extensions are not included in the proxy binary and that WASM filters from the upstream Istio community are not supported in {ProductName} 2.0.
-====
+.Istio compatibility and support matrix
+[cols="1,1,1,4",options="header"]
+|===
+| Feature | Istio Version | Support Status | Description
+| holdApplicationUntilProxyStarts | 1.7 | TP | Blocks application container startup until proxy is running
+| DNS capture | 1.8 | GA | Enabled by default
+|===

modules/ossm-supported-configurations.adoc

@@ -32,7 +32,7 @@ For additional information about {ProductName} lifecycle and supported configura
 {ProductName} supports the following network configurations.
 
 * OpenShift-SDN
-* OVN-Kubernetes is supported as a technology preview in {product-title} version 4.7.
+* OVN-Kubernetes
 
 [id="ossm-supported-configurations-kiali_{context}"]
 == Supported configurations for Kiali

service_mesh/v2x/servicemesh-release-notes.adoc

@@ -15,8 +15,6 @@ include::modules/ossm-rn-new-features.adoc[leveloffset=+1]
 
 include::modules/ossm-rn-technology-preview.adoc[leveloffset=+1]
 
-For more information about WebAssembly extensions, see xref:../../service_mesh/v2x/ossm-extensions.adoc#ossm-extensions[Extensions].
-
 include::modules/ossm-rn-deprecated-features.adoc[leveloffset=+1]
 
 include::modules/ossm-rn-known-issues.adoc[leveloffset=+1]