Merge pull request #51715 from rh-tokeefe/OSSMDOC-582

OSSMDOC-582: Service Mesh 2.3  release notes

_attributes/common-attributes.adoc

@@ -132,8 +132,8 @@ endif::[]
 :product-dedicated: Red Hat OpenShift Dedicated
 :SMProductName: Red Hat OpenShift Service Mesh
 :SMProductShortName: Service Mesh
-:SMProductVersion: 2.2.3
-:MaistraVersion: 2.2
+:SMProductVersion: 2.3
+:MaistraVersion: 2.3
 //Service Mesh v1
 :SMProductVersion1x: 1.1.18.2
 //Windows containers

modules/ossm-rn-deprecated-features.adoc

@@ -15,6 +15,21 @@ Deprecated functionality is still included in {product-title} and continues to b
 
 Removed functionality no longer exists in the product.
 
+== Deprecated and removed features {SMProductName} 2.3
+
+Support for the following cipher suites has been deprecated. In a future release, they will be removed from the default list of ciphers used in TLS negotiations on both the client and server sides.
+
+* ECDHE-ECDSA-AES128-SHA
+* ECDHE-RSA-AES128-SHA
+* AES128-GCM-SHA256
+* AES128-SHA
+* ECDHE-ECDSA-AES256-SHA
+* ECDHE-RSA-AES256-SHA
+* AES256-GCM-SHA384
+* AES256-SHA
+
+The `ServiceMeshExtension` API, which was deprecated in {SMProductName} version 2.2, was removed in {SMProductName} version 2.3. If you are using the `ServiceMeshExtension` API, you must migrate to the `WasmPlugin` API to continue using your WebAssembly extensions.
+
 == Deprecated features {SMProductName} 2.2
 
 The `ServiceMeshExtension` API is deprecated as of release 2.2 and will be removed in a future release.  While `ServiceMeshExtension` API is still supported in release 2.2, customers should start moving to the new `WasmPlugin` API.

modules/ossm-rn-fixed-issues.adoc

@@ -23,6 +23,8 @@ The following issues been resolved in the current release:
 +
 Using {SMProductName} Operator 2.2 or 2.3, the SMMR controller no longer removes the namespaces from `SMMR.status.configuredMembers`. Instead, the controller adds the namespaces to `SMMR.status.pendingMembers` to indicate that they are not up-to-date. During reconciliation, as each namespace synchronizes with the SMCP, the namespace is automatically removed from `SMMR.status.pendingMembers`.
 
+* https://issues.redhat.com/browse/OSSM-1962[OSSM-1962] Use `EndpointSlices` in federation controller. The federation controller now uses `EndpointSlices`, which improves scalability and performance in large deployments. The PILOT_USE_ENDPOINT_SLICE flag is enabled by default. Disabling the flag prevents use of federation deployments.
+
 * https://issues.redhat.com/browse/OSSM-1668[OSSM-1668] A new field `spec.security.jwksResolverCA` was added to the Version 2.1 `SMCP` but was missing in the 2.2.0 and 2.2.1 releases. When upgrading from an Operator version where this field was present to an Operator version that was missing this field, the `.spec.security.jwksResolverCA` field was not available in the `SMCP`.
 
 * https://issues.redhat.com/browse/OSSM-1325[OSSM-1325] istiod pod crashes and displays the following error message: `fatal error: concurrent map iteration and map write`.

modules/ossm-rn-known-issues.adoc

@@ -34,6 +34,16 @@ These are the known issues in {SMProductName}:
 
 * link:https://github.com/istio/istio/issues/14743[Istio-14743] Due to limitations in the version of Istio that this release of {SMProductName} is based on, there may be applications that are currently incompatible with {SMProductShortName}. See the linked community issue for details.
 
+* https://issues.redhat.com/browse/OSSM-2221[OSSM-2221] Gateway injection does not work in control plane namespace. If you use the Gateway injection feature to create a gateway in the same location as the control plane, the injection fails and OpenShift generates this message:
++
+`Warning  Failed          10s   kubelet, ocp-wide-vh8fd-worker-vhqm9  Failed to pull image "auto": rpc error: code = Unknown desc = reading manifest latest in docker.io/library/auto: errors`
++
+To create a gateway in the control plane namespace, use the `gateways` parameter in the SMCP spec to configure ingress and egress gateways for the mesh.
+
+* https://issues.redhat.com/browse/OSSM-2042[OSSM-2042] Deployment of SMCP named `default` fails. If you are creating an SMCP object, and set its version field to v2.3, the name of the object cannot be `default`. If the name is `default`, then the control plane fails to deploy, and OpenShift generates a `Warning` event with the following message:
++
+`Error processing component mesh-config: error: [mesh-config/templates/telemetryv2_1.6.yaml: Internal error occurred: failed calling webhook "rev.validation.istio.io": Post "https://istiod-default.istio-system.svc:443/validate?timeout=10s": x509: certificate is valid for istiod.istio-system.svc, istiod-remote.istio-system.svc, istio-pilot.istio-system.svc, not istiod-default.istio-system.svc, mesh-config/templates/enable-mesh-permissive.yaml`
+
 //Keep OSSM-1655 in RN, closed as "explained" error is expected.
 * https://issues.redhat.com/browse/OSSM-1655[OSSM-1655] Kiali dashboard shows error after enabling mTLS in `SMCP`.
 +

modules/ossm-rn-new-features.adoc

@@ -17,13 +17,121 @@ This release adds improvements related to the following components and concepts.
 
 == New features {SMProductName} version {SMProductVersion}
 
-This release of {SMProductName} addresses Common Vulnerabilities and Exposures (CVEs), bug fixes, and is supported on OpenShift Container Platform 4.9 or later.
+This release of {SMProductName} introduces new features, addresses Common Vulnerabilities and Exposures (CVEs), contains bug fixes, and is supported on {product-title} 4.9, 4.10, and 4.11.
 
 === Component versions included in {SMProductName} version {SMProductVersion}
 
 |===
 |Component |Version
 
+|Istio
+|1.14
+
+|Envoy Proxy
+|1.22.4
+
+|Jaeger
+|1.38
+
+|Kiali
+|1.57.3
+|===
+
+=== New Container Network Interface (CNI) DaemonSet container and ConfigMap
+
+The `openshift-operators` namespace includes a new istio CNI DaemonSet `istio-cni-node-v2-3` and a new `ConfigMap` resource, `istio-cni-config-v2-3`.
+
+When upgrading to Service Mesh Control Plane 2.3, the existing `istio-cni-node` DaemonSet is not changed, and a new `istio-cni-node-v2-3` DaemonSet is created.
+
+This name change does not affect previous releases or any `istio-cni-node` CNI DaemonSet associated with a Service Mesh Control Plane deployed using a previous release.
+
+=== Gateway injection support
+
+This release introduces generally available support for Gateway injection. Gateway configurations are applied to standalone Envoy proxies that are running at the edge of the mesh, rather than the sidecar Envoy proxies running alongside your service workloads. This enables the ability to customize gateway options. When using gateway injection, you must create the following resources in the namespace where you want to run your gateway proxy: `Service`, `Deployment`, `Role`, and `RoleBinding`.
+
+=== Istio 1.14 Support
+
+{SMProductShortName} 2.3 is based on Istio 1.14, which brings in new features and product enhancements. While many Istio 1.14 features are supported, the following exceptions should be noted:
+
+* ProxyConfig API is supported with the exception of the image field.
+* Telemetry API is a Technology Preview feature.
+* SPIRE runtime is not a supported feature.
+
+=== OpenShift Service Mesh Console
+
+This release introduces a Developer Preview version of the {product-title} Service Mesh Console, which integrates the Kiali interface directly into the OpenShift web console. For additional information, see link:https://cloud.redhat.com/blog/introducing-the-openshift-service-mesh-console-a-developer-preview[Introducing the OpenShift Service Mesh Console (A Developer Preview)]
+
+=== Cluster-Wide deployment
+
+This release introduces cluster-wide deployment as a Technology Preview feature. A cluster-wide deployment contains a Service Mesh Control Plane that monitors resources for an entire cluster. The control plane uses a single query across all namespaces to monitor each Istio or Kubernetes resource kind that affects the mesh configuration. In contrast, the multitenant approach uses a query per namespace for each resource kind. Reducing the number of queries the control plane performs in a cluster-wide deployment improves performance.
+
+==== Configuring cluster-wide deployment
+
+The following example `ServiceMeshControlPlane` object configures a cluster-wide deployment.
+
+To create an SMCP for cluster-wide deployment, a user must belong to the `cluster-admin` ClusterRole. If the SMCP is configured for cluster-wide deployment, it must be the only SMCP in the cluster. You cannot change the control plane mode from multitenant to cluster-wide (or from cluster-wide to multitenant). If a multitenant control plane already exists, delete it and create a new one.
+
+This example configures the SMCP for cluster-wide deployment.
+
+[source,yaml]
+----
+  apiVersion: maistra.io/v2
+  kind: ServiceMeshControlPlane
+  metadata:
+    name: cluster-wide
+    namespace: istio-system
+  spec:
+    version: v2.3
+    techPreview:
+      controlPlaneMode: ClusterScoped <1>
+----
+<1> Enables Istiod to monitor resources at the cluster level rather than monitor each individual namespace.
+
+Additionally, the SMMR must also be configured for cluster-wide deployment. This example configures the SMMR for cluster-wide deployment.
+
+[source,yaml]
+----
+  apiVersion: maistra.io/v1
+  kind: ServiceMeshMemberRoll
+  metadata:
+    name: default
+  spec:
+    members:
+    - '*' <1>
+----
+<1> Adds all namespaces to the mesh, including any namespaces you subsequently create. The following namespaces are not part of the mesh: kube, openshift, kube-* and openshift-*.
+
+== New features {SMProductName} version 2.2.4
+
+This release of {SMProductName} addresses Common Vulnerabilities and Exposures (CVEs), contains bug fixes, and is supported on OpenShift Container Platform 4.9 or later.
+
+=== Component versions included in {SMProductName} version 2.2.4
+
+|===
+|Component |Version
+
+|Istio
+|1.14
+
+|Envoy Proxy
+|1.20.8
+
+|Jaeger
+|1.36.14
+
+|Kiali
+|1.48.3
+|===
+
+== New features {SMProductName} version 2.2.3
+
+This release of {SMProductName} addresses Common Vulnerabilities and Exposures (CVEs), bug fixes, and is supported on OpenShift Container Platform 4.9 or later.
+
+=== Component versions included in {SMProductName} version 2.2.3
+
+|===
+|Component |Version
+
 |Istio
 |1.12.9
 
@@ -108,7 +216,7 @@ This release of {SMProductName} adds new features and enhancements, and is suppo
 |===
 
 === `WasmPlugin` API
-This release adds support for the `WasmPlugin` API and deprecates the  `ServiceMeshExtention` API.
+This release adds support for the `WasmPlugin` API and deprecates the `ServiceMeshExtension` API.
 
 === ROSA support
 This release introduces service mesh support for Red Hat OpenShift on AWS (ROSA), including multi-cluster federation.
@@ -153,6 +261,28 @@ spec:
 ----
 Restricting route attachment on Gateway API listeners is possible using the `SameNamespace` or `All` settings. Istio ignores usage of label selectors in `listeners.allowedRoutes.namespaces` and reverts to the default behavior (`SameNamespace`).
 
+== New features {SMProductName} 2.1.5.2
+
+This release of {SMProductName} addresses Common Vulnerabilities and Exposures (CVEs), contains bug fixes, and is supported on OpenShift Container Platform 4.9 or later.
+
+=== Component versions included in {SMProductName} version 2.1.5.2
+
+|===
+|Component |Version
+
+|Istio
+|1.14
+
+|Envoy Proxy
+|1.17.5
+
+|Jaeger
+|1.36
+
+|Kiali
+|1.24.17
+|===
+
 == New features {SMProductName} 2.1.5.1
 
 This release of {SMProductName} addresses Common Vulnerabilities and Exposures (CVEs), bug fixes, and is supported on OpenShift Container Platform 4.9 or later.

modules/ossm-rn-technology-preview.adoc

@@ -13,22 +13,3 @@ Some features in this release are currently in Technology Preview. These experim
 Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production.
 These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see the link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview Support Scope].
 ====
-
-[id="istio-compatibility-support-matrix_{context}"]
-== Istio compatibility and support matrix
-
-In the table, features are marked with the following statuses:
-
-- *TP*: _Technology Preview_
-
-- *GA*: _General Availability_
-
-Note the following scope of support on the Red Hat Customer Portal for these features:
-
-.Istio compatibility and support matrix
-[cols="1,1,1,4",options="header"]
-|===
-| Feature | Istio Version | Support Status | Description
-| holdApplicationUntilProxyStarts | 1.7 | TP | Blocks application container startup until proxy is running
-| DNS capture | 1.8 | GA | Enabled by default
-|===

modules/ossm-vs-istio.adoc

@@ -139,7 +139,7 @@ The Operator annotates the default gateways to indicate that they are generated
 [id="ossm-multicluster-configuration_{context}"]
 == Multicluster configurations
 
-{SMProductName} does not provide support for multicluster configurations.
+{SMProductName} support for multicluster configurations is limited to the federation of service meshes across multiple clusters.
 
 [id="ossm-certificate-signing-request_{context}"]
 == Custom Certificate Signing Requests (CSR)