diff --git a/_topic_map.yml b/_topic_map.yml index 54a231046b46..c72924b8ed95 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -2156,64 +2156,64 @@ Name: Service Mesh Dir: service_mesh Distros: openshift-enterprise,openshift-webscale Topics: -# - Name: Service Mesh 2.x -# Dir: v2x -# Topics: -# - Name: Service Mesh 2.x release notes -# File: servicemesh-release-notes -# - Name: Service Mesh architecture -# File: ossm-architecture -# - Name: Service Mesh and Istio differences -# File: ossm-vs-community -# - Name: Preparing to install Service Mesh -# File: preparing-ossm-installation -# - Name: Installing Service Mesh -# File: installing-ossm -# - Name: Upgrading from 1.1 to 2.0 -# File: upgrading-ossm -# - Name: Customizing the installation -# File: customizing-installation-ossm -# - Name: Deploying applications on Service Mesh -# File: prepare-to-deploy-applications-ossm -# - Name: Data visualization and observability -# File: ossm-observability -# - Name: Security -# File: ossm-security -# - Name: Traffic management -# File: ossm-traffic-manage -# - Name: Custom resources -# File: ossm-custom-resources -# - Name: Extensions -# File: ossm-extensions -# - Name: Using the 3scale Istio adapter -# File: threescale-adapter -- Name: Service Mesh 1.x - Dir: v1x - Topics: - - Name: Service Mesh 1.x release notes - File: servicemesh-release-notes - - Name: Service Mesh architecture - File: ossm-architecture - - Name: Service Mesh and Istio differences - File: ossm-vs-community - - Name: Preparing to install Service Mesh - File: preparing-ossm-installation - - Name: Installing Service Mesh - File: installing-ossm - - Name: Customizing the installation - File: customizing-installation-ossm - - Name: Deploying applications on Service Mesh - File: prepare-to-deploy-applications-ossm - - Name: Data visualization and observability - File: ossm-observability - - Name: Security - File: ossm-security - - Name: Traffic management - File: ossm-traffic-manage - - Name: Custom resources - File: ossm-custom-resources - - Name: Using the 3scale Istio adapter - File: threescale-adapter + - Name: Service Mesh 2.x + Dir: v2x + Topics: + - Name: Service Mesh 2.x release notes + File: servicemesh-release-notes + - Name: Service Mesh architecture + File: ossm-architecture + - Name: Service Mesh and Istio differences + File: ossm-vs-community + - Name: Preparing to install Service Mesh + File: preparing-ossm-installation + - Name: Installing Service Mesh + File: installing-ossm + - Name: Upgrading from 1.1 to 2.0 + File: upgrading-ossm + - Name: Customizing the installation + File: customizing-installation-ossm + - Name: Deploying applications on Service Mesh + File: prepare-to-deploy-applications-ossm + - Name: Data visualization and observability + File: ossm-observability + - Name: Security + File: ossm-security + - Name: Traffic management + File: ossm-traffic-manage + - Name: Custom resources + File: ossm-custom-resources + - Name: Extensions + File: ossm-extensions + - Name: Using the 3scale Istio adapter + File: threescale-adapter + - Name: Service Mesh 1.x + Dir: v1x + Topics: + - Name: Service Mesh 1.x release notes + File: servicemesh-release-notes + - Name: Service Mesh architecture + File: ossm-architecture + - Name: Service Mesh and Istio differences + File: ossm-vs-community + - Name: Preparing to install Service Mesh + File: preparing-ossm-installation + - Name: Installing Service Mesh + File: installing-ossm + - Name: Customizing the installation + File: customizing-installation-ossm + - Name: Deploying applications on Service Mesh + File: prepare-to-deploy-applications-ossm + - Name: Data visualization and observability + File: ossm-observability + - Name: Security + File: ossm-security + - Name: Traffic management + File: ossm-traffic-manage + - Name: Custom resources + File: ossm-custom-resources + - Name: Using the 3scale Istio adapter + File: threescale-adapter --- Name: Jaeger Dir: jaeger diff --git a/jaeger/rhbjaeger-release-notes.adoc b/jaeger/rhbjaeger-release-notes.adoc index bc3650154fab..0d35f491ba43 100644 --- a/jaeger/rhbjaeger-release-notes.adoc +++ b/jaeger/rhbjaeger-release-notes.adoc @@ -13,4 +13,6 @@ include::modules/support.adoc[leveloffset=+1] include::modules/jaeger-rn-new-features.adoc[leveloffset=+1] +include::modules/jaeger-rn-technology-preview.adoc[leveloffset=+1] + include::modules/jaeger-rn-known-issues.adoc[leveloffset=+1] diff --git a/modules/jaeger-document-attributes.adoc b/modules/jaeger-document-attributes.adoc index b991e67fce3f..00ce8ce1013f 100644 --- a/modules/jaeger-document-attributes.adoc +++ b/modules/jaeger-document-attributes.adoc @@ -12,7 +12,7 @@ :ProductName: OpenShift Jaeger :ProductShortName: Jaeger :ProductRelease: -:ProductVersion: 1.17.4 +:ProductVersion: 1.20.0 :product-build: :DownloadURL: registry.redhat.io :kebab: image:kebab.png[title="Options menu"] @@ -24,7 +24,7 @@ :DocInfoProductName: Red Hat OpenShift Jaeger :DocInfoProductName: OpenShift Jaeger -:DocInfoProductNumber: 1.17.4 +:DocInfoProductNumber: 1.20.0 // // Book Names: // Defining the book names in document attributes instead of hard-coding them in diff --git a/modules/jaeger-rn-known-issues.adoc b/modules/jaeger-rn-known-issues.adoc index 96ff3afd8b0d..8e39646b1f7f 100644 --- a/modules/jaeger-rn-known-issues.adoc +++ b/modules/jaeger-rn-known-issues.adoc @@ -17,9 +17,7 @@ Result - If the workaround does not completely address the problem. These limitations exist in Jaeger: -* While Kafka publisher is included as part of Jaeger, it is not supported. * Apache Spark is not supported. -* Only self-provisioned Elasticsearch instances are supported. External Elasticsearch instances are not supported in this release. These are the known issues in Jaeger: diff --git a/modules/jaeger-rn-new-features.adoc b/modules/jaeger-rn-new-features.adoc index e845b2cc9c52..bbdc3ef0c582 100644 --- a/modules/jaeger-rn-new-features.adoc +++ b/modules/jaeger-rn-new-features.adoc @@ -2,27 +2,19 @@ Module included in the following assemblies: - rhbjaeger-release-notes.adoc //// +//// +Feature – Describe the new functionality available to the customer. For enhancements, try to describe as specifically as possible where the customer will see changes. +Reason – If known, include why has the enhancement been implemented (use case, performance, technology, etc.). For example, showcases integration of X with Y, demonstrates Z API feature, includes latest framework bug fixes. +Result – If changed, describe the current user experience. +//// [id="jaeger-rn-new-features_{context}"] +== New features {ProductName} 1.20.0 +* This release of {ProductName} adds support for using an "external" Elasticsearch cluster to store tracing data, that is, an Elasticsearch instance not installed and created by the Elasticsearch Operator. -== New features {ProductName} 1.17.4 - -This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes. - -== New features {ProductName} 1.17.3 - -This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes. - -== New features {ProductName} 1.17.2 - -This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes. - -== New features {ProductName} 1.17.1 +* This release adds autoscaling support for the Jaeger Collector and Ingester. //// -Feature – Describe the new functionality available to the customer. For enhancements, try to describe as specifically as possible where the customer will see changes. -Reason – If known, include why has the enhancement been implemented (use case, performance, technology, etc.). For example, showcases integration of X with Y, demonstrates Z API feature, includes latest framework bug fixes. There may not have been a 'problem' previously, but system behaviour may have changed. -Result – If changed, describe the current user experience +Restore this bullet point when OSSMDOC-145 is complete +* This release enabled support for services or applications running outside of an OpenShift cluster to be able to report tracing data to Jaeger running within the OpenShift cluster. //// - -This release of {ProductName} adds support for installing Jaeger as a standalone solution, rather than as a component of Red Hat OpenShift Service Mesh. diff --git a/modules/jaeger-rn-technology-preview.adoc b/modules/jaeger-rn-technology-preview.adoc new file mode 100644 index 000000000000..d06b32a04613 --- /dev/null +++ b/modules/jaeger-rn-technology-preview.adoc @@ -0,0 +1,23 @@ +//// +Module included in the following assemblies: +- rhbjaeger-release-notes.adoc +//// + +[id="jaeger-rn-tech-preview_{context}"] += Technology Preview +//// +Provide the following info for each issue if possible: +Description - Describe the new functionality available to the customer. For enhancements, try to describe as specifically as possible where the customer will see changes. Avoid the word “supports” as in [product] now supports [feature] to avoid customer confusion with full support. Say, for example, “available as a Technology Preview.” +Package - A brief description of what the customer has to install or enable in order to use the Technology Preview feature. (e.g., available in quickstart.zip on customer portal, JDF website, container on registry, enable option, etc.) +//// + +[IMPORTANT] +==== +Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. +These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/. +==== + +== {ProductName} 2.0.0 Technology Preview 1 +When you install the Jaeger Operator you can select a Technology Preview version of Jaeger. This gives you access to clients and infrastructure for exporting tracing data to Jaeger based on the link:https://opentelemetry.io/[OpenTelemetry framework]. Note that this version is not supported for production environments. + +The OpenTelemetry collector allows developers to instrument their code with vendor agnostic APIs, avoiding vendor lock-in and opening the door to a growing ecosystem of observability tooling. diff --git a/modules/ossm-document-attributes.adoc b/modules/ossm-document-attributes.adoc index 4edfdacb0f5a..d221a498fb65 100644 --- a/modules/ossm-document-attributes.adoc +++ b/modules/ossm-document-attributes.adoc @@ -12,7 +12,7 @@ :ProductName: Red Hat OpenShift Service Mesh :ProductShortName: Service Mesh :ProductRelease: -:ProductVersion: 2.0 +:ProductVersion: 2.0.0 :MaistraVersion: 2.0 :product-build: :DownloadURL: registry.redhat.io diff --git a/modules/ossm-rn-deprecated-features.adoc b/modules/ossm-rn-deprecated-features.adoc index d7699b5d518d..f77d8f4df3e8 100644 --- a/modules/ossm-rn-deprecated-features.adoc +++ b/modules/ossm-rn-deprecated-features.adoc @@ -13,16 +13,21 @@ Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in {product-title} and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. -== Deprecated features {ProductName} 1.1.5 +== Deprecated features {ProductName} 2.0 -The following custom resources are deprecated in this release and will be removed in a future release. +The Mixer component is deprecated and will be removed in a future release. While using Mixer for implementing extensions is still supported in release 2.0, you should be migrating your extensions to the new link:https://istio.io/latest/blog/2020/wasm-announce/[WebAssembly] mechanism. -* `Policy` - The `Policy` resource is deprecated and will be replaced by the `PeerAuthentication` resource in a future release. -* `MeshPolicy` - The `MeshPolicy` resource is deprecated and will be replaced by the `PeerAuthentication` resource in a future release. -* `v1alpha1` RBAC API -The v1alpha1 RBAC policy is deprecated by the v1beta1 `AuthorizationPolicy`. RBAC (Role Based Access Control) defines `ServiceRole` and `ServiceRoleBinding` objects. -** `ServiceRole` -** `ServiceRoleBinding` -* `RbacConfig` - `RbacConfig` implements the Custom Resource Definition for controlling Istio RBAC behavior. -** `ClusterRbacConfig`(versions prior to {ProductName} 1.0) -** `ServiceMeshRbacConfig` ({ProductName} version 1.0 and later) +The following resource types are no longer supported in {ProductName} 2.0: + +* `Policy` (authentication.istio.io/v1alpha1) is no longer supported. Depending on the specific configuration in your Policy resource, you may have to configure multiple resources to achieve the same effect. +** Use `RequestAuthentication` (security.istio.io/v1beta1) +** Use `PeerAuthentication` (security.istio.io/v1beta1) +* `ServiceMeshPolicy` (maistra.io/v1) is no longer supported. +** Use `RequestAuthentication` or `PeerAuthentication`, as mentioned above, but place in the control plane namespace. +* `RbacConfig` (rbac.istio.io/v1alpha1) is no longer supported. +** Replaced by `AuthorizationPolicy` (security.istio.io/v1beta1), which encompasses behavior of `RbacConfig`, `ServiceRole`, and `ServiceRoleBinding`. +* `ServiceMeshRbacConfig` (maistra.io/v1) is no longer supported. +** Use `AuthorizationPolicy` as above, but place in control plane namespace. +* `ServiceRole` (rbac.istio.io/v1alpha1) is no longer supported. +* `ServiceRoleBinding` (rbac.istio.io/v1alpha1) is no longer supported. * In Kiali, the `login` and `LDAP` strategies are deprecated. A future version will introduce authentication using OpenID providers. diff --git a/modules/ossm-rn-fixed-issues.adoc b/modules/ossm-rn-fixed-issues.adoc index 6c50e5a142bf..674715ffb5c8 100644 --- a/modules/ossm-rn-fixed-issues.adoc +++ b/modules/ossm-rn-fixed-issues.adoc @@ -19,87 +19,9 @@ The following issues been resolved in the current release: [id="ossm-rn-fixed-issues-ossm_{context}"] == {ProductShortName} fixed issues -* link:https://issues.redhat.com/browse/MAISTRA-1810[MAISTRA-1810] Some traces show `write flush complete` logs within the timeout period for close. +* link:https://issues.redhat.com/browse/MAISTRA-1502[Maistra-1502] As a result of CVEs fixes in version 1.0.10, the Istio dashboards are not available from the *Home Dashboard* menu in Grafana. The Istio dashboards still exist. To access them, click the *Dashboard* menu in the navigation panel and select the *Manage* tab. -* link:https://issues.redhat.com/browse/MAISTRA-1166[MAISTRA-1166] Occasional downstream connection terminations happen when requests enter a cluster via the Istio Ingress gateway. - -* link:https://issues.redhat.com/browse/MAISTRA-1629[MAISTRA-1629] Maistra doesn't respect `traffic.sidecar.istio.io/excludeOutboundPorts` pod annotation. - -* link:https://issues.redhat.com/browse/MAISTRA-1537[MAISTRA-1537] Gateway with multiple ports or protocols results in a route with a single port or protocol. - -* link:https://issues.redhat.com/browse/MAISTRA-1352[MAISTRA-1352] Cert-manager Custom Resource Definitions (CRD) from the control plane installation have been removed for this release and future releases. If you have already installed {ProductName}, the CRDs must be removed manually if cert-manager is not being used. -+ -To remove the CRDs, run the following commands: -+ -[source,terminal] ----- -$ oc delete crd clusterissuers.certmanager.k8s.io ----- -+ -[source,terminal] ----- -$ oc delete crd issuers.certmanager.k8s.io ----- -+ -[source,terminal] ----- -$ oc delete crd certificates.certmanager.k8s.io ----- -+ -[source,terminal] ----- -$ oc delete crd orders.certmanager.k8s.io ----- -+ -[source,terminal] ----- -$ oc delete crd challenges.certmanager.k8s.io ----- - -* link:https://issues.redhat.com/projects/MAISTRA/issues/MAISTRA-1649[MAISTRA-1649] Headless services conflict when in different namespaces. When deploying headless services within different namespaces the endpoint configuration is merged and results in invalid Envoy configurations being pushed to the sidecars. - -* link:https://issues.redhat.com/browse/MAISTRA-1541[MAISTRA-1541] Panic in kubernetesenv when the controller is not set on owner reference. If a pod has an ownerReference which does not specify the controller, this will cause a panic within the `kubernetesenv cache.go` code. - -* link:https://issues.redhat.com/browse/TRACING-1300[TRACING-1300] Failed connection between Agent and Collector when using Istio sidecar. An update of the Jaeger Operator enabled TLS communication by default between a Jaeger sidecar agent and the Jaeger Collector. - -* link:https://issues.redhat.com/browse/TRACING-1208[TRACING-1208] Authentication "500 Internal Error" when accessing Jaeger UI. When trying to authenticate to the UI using OAuth, I get a 500 error because oauth-proxy sidecar doesn't trust the custom CA bundle defined at installation time with the additionalTrustBundle. - -* link:https://issues.jboss.org/browse/OSSM-99[OSSM-99] Workloads generated from direct Pod without labels may crash Kiali. - -* link:https://issues.jboss.org/browse/OSSM-93[OSSM-93] IstioConfigList can't filter by two or more names. - -* link:https://issues.jboss.org/browse/OSSM-92[OSSM-92] Cancelling unsaved changes on the VS/DR YAML edit page does not cancel the changes. - -* link:https://issues.jboss.org/browse/OSSM-90[OSSM-90] Traces not available on the service details page. - -[id="ossm-rn-fixed-issues-maistra_{context}"] -* link:https://issues.jboss.org/browse/MAISTRA-1001[MAISTRA-1001] Closing HTTP/2 connections could lead to segmentation faults in `istio-proxy`. - -* link:https://issues.jboss.org/browse/MAISTRA-932[MAISTRA-932] Added the `requires` metadata to add dependency relationship between Jaeger operator and Elasticsearch operator. Ensures that when the Jaeger operator is installed, it automatically deploys the Elasticsearch operator if it is not available. - -* link:https://issues.jboss.org/browse/MAISTRA-862[MAISTRA-862] Galley dropped watches and stopped providing configuration to other components after many namespace deletions and re-creations. - -* link:https://issues.jboss.org/browse/MAISTRA-833[MAISTRA-833] Pilot stopped delivering configuration after many namespace deletions and re-creations. - -* link:https://issues.jboss.org/browse/MAISTRA-684[MAISTRA-684] The default Jaeger version in the `istio-operator` is 1.12.0, which does not match Jaeger version 1.13.1 that shipped in {ProductName} 0.12.TechPreview. - -* link:https://issues.jboss.org/browse/MAISTRA-622[MAISTRA-622] In Maistra 0.12.0/TP12, permissive mode does not work. The user has the option to use Plain text mode or Mutual TLS mode, but not permissive. - -* link:https://issues.jboss.org/browse/MAISTRA-572[MAISTRA-572] Jaeger cannot be used with Kiali. In this release Jaeger is configured to use the OAuth proxy, but is also only configured to work through a browser and does not allow service access. Kiali cannot properly communicate with the Jaeger endpoint and it considers Jaeger to be disabled. See also link:https://issues.jboss.org/browse/TRACING-591[TRACING-591]. - -* link:https://issues.jboss.org/browse/MAISTRA-357[MAISTRA-357] In OpenShift 4 Beta on AWS, it is not possible, by default, to access a TCP or HTTPS service through the ingress gateway on a port other than port 80. The AWS load balancer has a health check that verifies if port 80 on the service endpoint is active. Without a service running on port 80, the load balancer health check fails. - -* link:https://issues.jboss.org/browse/MAISTRA-348[MAISTRA-348] OpenShift 4 Beta on AWS does not support ingress gateway traffic on ports other than 80 or 443. If you configure your ingress gateway to handle TCP traffic with a port number other than 80 or 443, you have to use the service hostname provided by the AWS load balancer rather than the OpenShift router as a workaround. +* link:https://bugzilla.redhat.com/show_bug.cgi?id=1821432[Bug 1821432] Toggle controls in {product-title} Control Resource details page do not update the CR correctly. UI Toggle controls in the Service Mesh Control Plane (SMCP) Overview page in the {product-title} web console sometimes update the wrong field in the resource. To update a SMCP, edit the YAML content directly or update the resource from the command line instead of clicking the toggle controls. [id="ossm-rn-fixed-issues-kiali_{context}"] == Kiali fixed issues - -* link:https://issues.jboss.org/browse/KIALI-3239[KIALI-3239] If a Kiali Operator pod has failed with a status of “Evicted” it blocks the Kiali operator from deploying. The workaround is to delete the Evicted pod and redeploy the Kiali operator. - -* link:https://issues.jboss.org/browse/KIALI-3118[KIALI-3118] After changes to the ServiceMeshMemberRoll, for example adding or removing projects, the Kiali pod restarts and then displays errors on the Graph page while the Kiali pod is restarting. - -* link:https://issues.jboss.org/browse/KIALI-3096[KIALI-3096] Runtime metrics fail in {ProductShortName}. There is an OAuth filter between the {ProductShortname} and Prometheus, requiring a bearer token to be passed to Prometheus before access is granted. Kiali has been updated to use this token when communicating to the Prometheus server, but the application metrics are currently failing with 403 errors. - -* link:https://issues.jboss.org/browse/KIALI-3070[KIALI-3070] This bug only affects custom dashboards, not the default dashboards. When you select labels in metrics settings and refresh the page, your selections are retained in the menu but your selections are not displayed on the charts. - -* link:https://github.com/kiali/kiali/issues/1603[KIALI-2686] When the control plane has many namespaces, it can lead to performance issues. diff --git a/modules/ossm-rn-known-issues.adoc b/modules/ossm-rn-known-issues.adoc index 750a85af6c78..6ced2d5fcad5 100644 --- a/modules/ossm-rn-known-issues.adoc +++ b/modules/ossm-rn-known-issues.adoc @@ -26,14 +26,48 @@ These limitations exist in {ProductName}: These are the known issues in {ProductName}: -* link:https://issues.redhat.com/browse/MAISTRA-1502[Maistra-1502] As a result of CVEs fixes in version 1.0.10, the Istio dashboards are not available from the *Home Dashboard* menu in Grafana. The Istio dashboards still exist. To access them, click the *Dashboard* menu in the navigation panel and select the *Manage* tab. +* link:https://issues.jboss.org/browse/MAISTRA-1088[MAISTRA-1088]/link:https://issues.jboss.org/browse/MAISTRA-1621[MAISTRA-1621] 2.0 Migration Issues +** Gateways created in a non-control plane namespace will not be automatically deleted. Users will need to manually delete these resources after removing the gateway definition from the SMCP spec. +** Prometheus scraping (`spec.addons.prometheus.scrape` set to `true`) does not work when mTLS is enabled. Additionally, Kiali displays extraneous graph data when mTLS is disabled. ++ +Both problems can be addressed by excluding port 15020 from proxy configuration, for example, ++ +[source,yaml] +---- +spec: + proxy: + networking: + trafficControl: + inbound: + excludedPorts: + - 15020 +---- ++ +* link:https://issues.redhat.com/browse/OSSM-296[OSSM-296] When adding health configuration to the Kiali custom resource (CR) is it not being replicated to the Kiali configmap. -* link:https://bugzilla.redhat.com/show_bug.cgi?id=1821432[Bug 1821432] Toggle controls in {product-title} Control Resource details page do not update the CR correctly. UI Toggle controls in the Service Mesh Control Plane (SMCP) Overview page in the {product-title} web console sometimes update the wrong field in the resource. To update a SMCP, edit the YAML content directly or update the resource from the command line instead of clicking the toggle controls. +* link:https://issues.redhat.com/browse/OSSM-216[OSSM-291] In the Kiali console, on the Applications, Services, and Workloads pages, the "Remove Label from Filters" function is not working. -* link:https://access.redhat.com/solutions/4970771[Jaeger/Kiali Operator upgrade blocked with operator pending] When upgrading the Jaeger or Kiali Operators with Service Mesh 1.0.x installed, the operator status shows as Pending. There is a solution in progress and a workaround. See the linked Knowledge Base article for more information. +* link:https://issues.redhat.com/browse/OSSM-289[OSSM-289] In the Kiali console, on the Service Details pages for the 'istio-ingressgateway' and 'jaeger-query' services there are no Traces being displayed. The traces exist in Jaeger. + +* link:https://issues.redhat.com/browse/OSSM-287[OSSM-287] In the Kiali console there are no traces being displayed on the Graph Service. + +* link:https://issues.redhat.com/browse/OSSM-285[OSSM-285] When trying to access the Kiali console, receive the following error message "Error trying to get OAuth Metadata". The workaround is to restart the Kiali pod. * link:https://github.com/istio/istio/issues/14743[Istio-14743] Due to limitations in the version of Istio that this release of {ProductName} is based on, there are several applications that are currently incompatible with {ProductShortName}. See the linked community issue for details. +* link:https://issues.jboss.org/browse/MAISTRA-1979[MAISTRA-1979] _Migration to 2.0_ The conversion webhook drops the following important fields when converting SMCP.status from v2 to v1: + +** conditions +** components +** observedGeneration +** annotations ++ +This means that upgrading the operator to 2.0 might break client tools that read the SMCP status using the maistra.io/v1 version of the resource. ++ +This also causes the READY and STATUS columns to be empty when you run `oc get servicemeshcontrolplanes.v1.maistra.io`. + +* link:https://issues.jboss.org/browse/MAISTRA-1947[MAISTRA-1947] _Technology Preview_ Updates to ServiceMeshExtensions are not applied. The workaround is to remove and recreate the ServiceMeshExtensions. + * link:https://issues.jboss.org/browse/MAISTRA-858[MAISTRA-858] The following Envoy log messages describing link:https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated[deprecated options and configurations associated with Istio 1.1.x] are expected: + ** [2019-06-03 07:03:28.943][19][warning][misc] [external/envoy/source/common/protobuf/utility.cc:129] Using deprecated option 'envoy.api.v2.listener.Filter.config'. This configuration will be removed from Envoy soon. @@ -54,7 +88,6 @@ If the `istio-operator` pod is evicted while deploying the control pane, delete * link:https://issues.jboss.org/browse/MAISTRA-158[MAISTRA-158] Applying multiple gateways referencing the same hostname will cause all gateways to stop functioning. - [id="ossm-rn-known-issues-kiali_{context}"] == Kiali known issues diff --git a/modules/ossm-rn-new-features.adoc b/modules/ossm-rn-new-features.adoc index bf335c851bb6..c7a2385d8308 100644 --- a/modules/ossm-rn-new-features.adoc +++ b/modules/ossm-rn-new-features.adoc @@ -24,16 +24,36 @@ Result – If changed, describe the current user experience |Component |Version |Istio -|1.6.0 +|1.6.5 |Jaeger -|1.19.2 +|1.20.0 |Kiali -|1.24.0 +|1.24.2 |3scale Istio Adapter |2.0.0 |=== == New features {ProductName} 2.0 + +This release of {ProductName} adds support for Istio 1.6.5, Jaeger 1.20.0, Kiali 1.24.2, and the 3scale Istio Adapter 2.0 and OpenShift Container Platform 4.6. + +In addition, this release has the following new features: + +* Introduces a re-architected control plane. The Mixer component has been deprecated and will be removed in a future release. The other control plane components, Pilot, Galley, Citadel, have been combined into a single binary known as `istiod`; the "d" stands for daemon. +** Simplifies installation, upgrades, and management of the control plane. +** Reduces the control plane's resource usage and startup time. +** Improves performance by reducing inter-control plane communication over networking. + +* Adds support for Envoy's Secret Discovery Service (SDS). SDS is a more secure and efficient mechanism for delivering secrets to Envoy side car proxies. +** Removes the need to use Kubernetes Secrets, which have well known security risks. +** Improves performance during certificate rotation, as proxies no longer require a restart to recognize new certificates. +** Enables integration with 3rd party certificate managers, such as Vault and Spire. + +* Adds support for Istio's Telemetry v2 architecture, which is built using WebAssembly extensions. This new architecture brings significant performance improvements. + +* Updates the ServiceMeshControlPlane resource to v2 with a streamlined configuration to make it easier to manage the Control Plane. + +* Introduces WebAssembly extensions as a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature. diff --git a/modules/ossm-rn-technology-preview.adoc b/modules/ossm-rn-technology-preview.adoc new file mode 100644 index 000000000000..021bbde6ec26 --- /dev/null +++ b/modules/ossm-rn-technology-preview.adoc @@ -0,0 +1,34 @@ +//// +Module included in the following assemblies: +- v2x\servicemesh-release-notes.adoc +//// + +[id="ossm-rn-tech-preview_{context}"] += Technology Preview +//// +Provide the following info for each issue if possible: +Description - Describe the new functionality available to the customer. For enhancements, try to describe as specifically as possible where the customer will see changes. Avoid the word “supports” as in [product] now supports [feature] to avoid customer confusion with full support. Say, for example, “available as a Technology Preview.” +Package - A brief description of what the customer has to install or enable in order to use the Technology Preview feature. (e.g., available in quickstart.zip on customer portal, JDF website, container on registry, enable option, etc.) +//// + +[IMPORTANT] +==== +Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. +These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/. +==== + += WebAsssembly Technology Preview + +{ProductName} 2.0.0 introduces support for WebAssembly extensions to Envoy Proxy. + +Up through release 1.5, Istio implemented extensions using the Mixer Telemetry and Policy components. In +link:https://istio.io/latest/news/releases/1.5.x/announcing-1.5/upgrade-notes/#mixer-deprecation[Istio 1.5] Mixer was deprecated and link:https://istio.io/latest/news/releases/1.5.x/announcing-1.5/upgrade-notes/#mixer-deprecation[WebAssembly was introduced] as the new mechanism for extensions in Istio. Envoy now allows extensions using WebAssembly (“WASM”) - a format for executing code written in multiple programming languages. Mixer has been deprecated as of Istio 1.5, and will be removed in 1.8. Going forward, extensions to Istio will be implemented with Envoy plugins written with WebAssembly. + +The new Telemetry architecture is based on these WebAssembly extensions. For {ProductShortName} 2.0, we are introducing WebAssembly extensions as a Tech Preview feature. WebAssembly extensions is the new way of extending Istio functionality, replacing the Mixer component, which has been deprecated and will eventually be removed. + +For more information about WebAssembly extensions, see the xref:../../service_mesh/v2x/ossm-extensions.adoc[Extensions]. + +[NOTE] +==== +Note that built-in Istio WASM extensions are not included in the proxy binary and that WASM filters from the upstream Istio community are not supported in {ProductName} 2.0. +==== diff --git a/modules/ossm-supported-configurations-v1x.adoc b/modules/ossm-supported-configurations-v1x.adoc index 09278c7324a7..0b744f8ae251 100644 --- a/modules/ossm-supported-configurations-v1x.adoc +++ b/modules/ossm-supported-configurations-v1x.adoc @@ -21,6 +21,8 @@ OpenShift Online and OpenShift Dedicated are not supported for {ProductName}. * This release only supports configurations where all {ProductShortName} components are contained in the OpenShift cluster in which it operates. It does not support management of microservices that reside outside of the cluster, or in a multi-cluster scenario. * This release only supports configurations that do not integrate external services such as virtual machines. +For additional information about {ProductName} lifecycle and supported configurations, refer to the link:https://access.redhat.com/support/policy/updates/openshift#ossm[Support Policy]. + [id="ossm-supported-configurations-kiali_{context}"] == Supported configurations for Kiali on {ProductName} diff --git a/modules/ossm-supported-configurations.adoc b/modules/ossm-supported-configurations.adoc index b20e3363db65..9847a51926ae 100644 --- a/modules/ossm-supported-configurations.adoc +++ b/modules/ossm-supported-configurations.adoc @@ -21,6 +21,8 @@ OpenShift Online and OpenShift Dedicated are not supported for {ProductName}. * This release only supports configurations where all {ProductShortName} components are contained in the OpenShift cluster in which it operates. It does not support management of microservices that reside outside of the cluster, or in a multi-cluster scenario. * This release only supports configurations that do not integrate external services such as virtual machines. +For additional information about {ProductName} lifecycle and supported configurations, refer to the link:https://access.redhat.com/support/policy/updates/openshift#ossm[Support Policy]. + [id="ossm-supported-configurations-kiali_{context}"] == Supported configurations for Kiali on {ProductName} diff --git a/service_mesh/v2x/customizing-installation-ossm.adoc b/service_mesh/v2x/customizing-installation-ossm.adoc index b748301a5d16..bd7c08ecb6c5 100644 --- a/service_mesh/v2x/customizing-installation-ossm.adoc +++ b/service_mesh/v2x/customizing-installation-ossm.adoc @@ -4,7 +4,7 @@ include::modules/ossm-document-attributes.adoc[] :context: customizing-installation-ossm-v2x toc::[] -After your default `ServiceMeshControlPlane` resource is deployed, you can configure the resource to suit your environment. +After your default `ServiceMeshControlPlane` resource is deployed, you can configure the resource to suit your environment. == Resources for configuring your `ServiceMeshControlPlane` resource @@ -12,8 +12,8 @@ Read more about how to configure your `ServiceMeshControlPlane` resource further * See xref:../../service_mesh/v2x/ossm-observability.adoc#ossm-observability[Data visualization and observability] for more information about Kiali and visualizing your data. * See xref:../../service_mesh/v2x/ossm-security.adoc#ossm-security[Security] for configuring mTLS, cipher suites, and external certificate authorities. -* See xref:../../service_mesh/v2x/ossm-traffic-manage.adoc#ossm-routing-traffic[Traffic management] to configure your routing. -* See xref:../../service_mesh/v2x/ossm-custom-resources.adoc#ossm-custom-resources-v2x[Custom resources] for more information about all the configurable fields in your `ServiceMeshControlPlane` resource. +* See xref:../../service_mesh/v2x/ossm-traffic-manage.adoc#ossm-routing-traffic[Traffic management] to configure your routing. +* See xref:../../service_mesh/v2x/ossm-custom-resources.adoc#ossm-custom-resources[Custom resources] for more information about all the configurable fields in your `ServiceMeshControlPlane` resource. include::modules/ossm-updating-smcp.adoc[leveloffset=+1] diff --git a/service_mesh/v2x/ossm-custom-resources.adoc b/service_mesh/v2x/ossm-custom-resources.adoc index 2ef27c5ecae2..fbcbc4910dd8 100644 --- a/service_mesh/v2x/ossm-custom-resources.adoc +++ b/service_mesh/v2x/ossm-custom-resources.adoc @@ -1,4 +1,4 @@ -[id="ossm-custom-resources-v2x"] +[id="ossm-custom-resources"] = Custom resources include::modules/ossm-document-attributes.adoc[] :context: ossm-custom-resources-v2x @@ -35,4 +35,4 @@ include::modules/ossm-jaeger-config-elasticsearch.adoc[leveloffset=+2] For more information about configuring Elasticsearch with {product-title}, see xref:../../logging/config/cluster-logging-log-store.adoc[Configuring the log store]. -include::modules/ossm-cr-threescale.adoc[leveloffset=+1] \ No newline at end of file +include::modules/ossm-cr-threescale.adoc[leveloffset=+1] diff --git a/service_mesh/v2x/servicemesh-release-notes.adoc b/service_mesh/v2x/servicemesh-release-notes.adoc index ceaa383dfbb0..4ce5239a59e6 100644 --- a/service_mesh/v2x/servicemesh-release-notes.adoc +++ b/service_mesh/v2x/servicemesh-release-notes.adoc @@ -35,6 +35,8 @@ include::modules/ossm-supported-configurations.adoc[leveloffset=+1] include::modules/ossm-rn-new-features.adoc[leveloffset=+1] +include::modules/ossm-rn-deprecated-features.adoc[leveloffset=+1] + include::modules/ossm-rn-known-issues.adoc[leveloffset=+1] include::modules/jaeger-rn-known-issues.adoc[leveloffset=+2] diff --git a/service_mesh/v2x/upgrading-ossm.adoc b/service_mesh/v2x/upgrading-ossm.adoc index 01253b998d54..f3c5c75292f9 100644 --- a/service_mesh/v2x/upgrading-ossm.adoc +++ b/service_mesh/v2x/upgrading-ossm.adoc @@ -63,7 +63,7 @@ Alternatively, you can use the console to create the control plane. In the {prod [id="ossm-upgrading-differences_{context}"] == Configuring the 2.0 `ServiceMeshControlPlane` -The `ServiceMeshControlPlane` resource has been updated for {ProductName} version 2.0. After you created a v2 version of the `ServiceMeshControlPlane` resource, modify it to take advantage of the new features and to fit your deployment. Consider the following changes to the specification and behavior of {ProductName} 2.0 as you're modifying your `ServiceMeshControlPlane` resource. You can also refer to the {ProductName} 2.0 product documentation for updates to features you use. The v2 resource must be used for {ProductName} 2.0 installations. +The `ServiceMeshControlPlane` resource has been updated for {ProductName} version 2.0. After you created a v2 version of the `ServiceMeshControlPlane` resource, modify it to take advantage of the new features and to fit your deployment. Consider the following changes to the specification and behavior of {ProductName} 2.0 as you're modifying your `ServiceMeshControlPlane` resource. You can also refer to the {ProductName} 2.0 product documentation for updates to features you use. The v2 resource must be used for {ProductName} 2.0 installations. [id="ossm-upgrading-differences-arch_{context}"] === Architecture changes @@ -110,7 +110,7 @@ Mutual TLS enforcement is accomplished using the `security.istio.io/v1beta1` Pee Additional authentication methods specified in `spec.origins`, must be mapped into a `security.istio.io/v1beta1` RequestAuthentication resource. `spec.selector.matchLabels` must be configured similarly to the same field on PeerAuthentication. Configuration specific to JWT principals from `spec.origins.jwt` items map to similar fields in `spec.rules` items. -* `spec.origins[x].jwt.triggerRules` specified in the Policy must be mapped into one or more `security.istio.io/v1beta1` AuthorizationPolicy resources. Any `spec.selector.labels` must be configured similarly to the same field on RequestAuthentication. +* `spec.origins[x].jwt.triggerRules` specified in the Policy must be mapped into one or more `security.istio.io/v1beta1` AuthorizationPolicy resources. Any `spec.selector.labels` must be configured similarly to the same field on RequestAuthentication. * `spec.origins[x].jwt.triggerRules.excludedPaths` must be mapped into an AuthorizationPolicy whose spec.action is set to ALLOW, with `spec.rules[x].to.operation.path` entries matching the excluded paths. * `spec.origins[x].jwt.triggerRules.includedPaths` must be mapped into a separate AuthorizationPolicy whose `spec.action` is set to `ALLOW`, with `spec.rules[x].to.operation.path` entries matching the included paths, and `spec.rules.[x].from.source.requestPrincipals` entries that align with the `specified spec.origins[x].jwt.issuer` in the Policy resource. @@ -138,9 +138,9 @@ This resource is replaced by using a `security.istio.io/v1beta1` AuthorizationPo [id="ossm-upgrading-mig-mixer_{context}"] === Mixer plugins -Mixer components are disabled by default in version 2.0. If you rely on Mixer plugins for your workload, you must configure your version 2.0 `ServiceMeshControlPlane` to include the Mixer components. +Mixer components are disabled by default in version 2.0. If you rely on Mixer plugins for your workload, you must configure your version 2.0 `ServiceMeshControlPlane` to include the Mixer components. -To enable the Mixer policy components, add the following snippet to your `ServiceMeshControlPlane`. +To enable the Mixer policy components, add the following snippet to your `ServiceMeshControlPlane`. [source,yaml] ---- @@ -149,7 +149,7 @@ spec: type: Mixer ---- -To enable the Mixer telemetry components, add the following snippet to your `ServiceMeshControlPlane`. +To enable the Mixer telemetry components, add the following snippet to your `ServiceMeshControlPlane`. [source,yaml] ---- @@ -167,7 +167,7 @@ Built-in WASM filters included in the upstream Istio distribution are not availa The mTLS feature only considers PeerAuthentication policies that affect an entire namespace or the entire mesh. There is no selector. When using mTLS with workload specific PeerAuthentication policies, a corresponding DestinationRule is required to allow traffic if the workload policy differs from the namespace/global policy. -Auto mTLS is enabled by default, but can be disabled by setting `spec.security.dataPlane.automtls` to false in the `ServiceMeshControlPlane` resource. When disabling auto mTLS, DestinationRules may be required for proper communication between services. For example, setting PeerAuthentication to `STRICT` for one namespace may prevent services in other namespaces from accessing them, unless a DestinationRule configures TLS mode for the services in the namespace. +Auto mTLS is enabled by default, but can be disabled by setting `spec.security.dataPlane.automtls` to false in the `ServiceMeshControlPlane` resource. When disabling auto mTLS, DestinationRules may be required for proper communication between services. For example, setting PeerAuthentication to `STRICT` for one namespace may prevent services in other namespaces from accessing them, unless a DestinationRule configures TLS mode for the services in the namespace. For information about mTLS, see xref:../../service_mesh/v2x/ossm-security.adoc#ossm-security-mtls_ossm-security[Enabling mutual Transport Layer Security (mTLS)] @@ -325,7 +325,7 @@ Mutual TLS for data plane communication is configured through `spec.security.dat Istiod manages client certificates and private keys used by service proxies. By default, istiod uses a self-signed certificate for signing, but you can configure a custom certificate and private key. For more information about how to configure signing keys, see xref:../../service_mesh/v2x/ossm-security.html#ossm-cert-manage_ossm-security[Adding an external certificate authority key and certificate] [id="ossm-upgrading-config-tracing_{context}"] -=== Tracing +=== Tracing Tracing is configured under `spec.tracing`. Currently, the only type of tracer that is supported is `Jaeger`. Sampling is a scaled integer representing 0.01% increments, e.g. 1 is 0.01% and 10000 is 100%. The tracing implementation and sampling rate can be specified: @@ -385,15 +385,15 @@ Resources are configured under `spec.runtime.`. The following compone |Component |Description |Versions supported |security -|Citadel container +|Citadel container |v1.0/1.1 -|galley -|Galley container +|galley +|Galley container |v1.0/1.1 -|pilot -|Pilot/istiod container +|pilot +|Pilot/istiod container |v1.0/1.1/2.0 |mixer @@ -412,58 +412,58 @@ Resources are configured under `spec.runtime.`. The following compone |oauth-proxy container used with various addons |v1.0/1.1/2.0 -|`sidecarInjectorWebhook` -|sidecar injector webhook container +|`sidecarInjectorWebhook` +|sidecar injector webhook container |v1.0/1.1 -|`tracing.jaeger` +|`tracing.jaeger` |general Jaeger container - not all settings may be applied. Complete customization of Jaeger installation is supported by specifying an existing Jaeger resource in the control plane configuration. |v1.0/1.1/2.0 |`tracing.jaeger.agent` -|settings specific to Jaeger agent +|settings specific to Jaeger agent |v1.0/1.1/2.0 |`tracing.jaeger.allInOne` -|settings specific to Jaeger allInOne +|settings specific to Jaeger allInOne |v1.0/1.1/2.0 |`tracing.jaeger.collector` -|settings specific to Jaeger collector +|settings specific to Jaeger collector |v1.0/1.1/2.0 |`tracing.jaeger.elasticsearch` -|settings specific to Jaeger elasticsearch deployment +|settings specific to Jaeger elasticsearch deployment |v1.0/1.1/2.0 |`tracing.jaeger.query` -|settings specific to Jaeger query +|settings specific to Jaeger query |v1.0/1.1/2.0 -|prometheus -|prometheus container +|prometheus +|prometheus container |v1.0/1.1/2.0 -|kiali +|kiali |Kiali container - complete customization of Kiali installation is supported by specifying an existing Kiali resource in the control plane configuration. |v1.0/1.1/2.0 -|grafana -|Grafana container +|grafana +|Grafana container |v1.0/1.1/2.0 -|3scale -|3scale container +|3scale +|3scale container |v1.0/1.1/2.0 -|`wasmExtensions.cacher` -|WASM extensions cacher container +|`wasmExtensions.cacher` +|WASM extensions cacher container |v2.0 - tech preview |=== -For an example, of how to configure Pilot resource scheduling see xref:../../service_mesh/v2x/customizing-installation-ossm.adoc#ossm-cr-pilot_customizing-installation-ossm[Istio Pilot configuration] +For an example, of how to configure Pilot resource scheduling see xref:../../service_mesh/v2x/ossm-custom-resources.adoc#ossm-cr-pilot_ossm-custom-resources-v2x[Istio Pilot configuration] [id="ossm-upgrading-mig-apps_{context}"] == Next steps for migrating your applications and workflows -Move the application workload to the new mesh and remove the old instances to complete your upgrade. \ No newline at end of file +Move the application workload to the new mesh and remove the old instances to complete your upgrade.