diff --git a/docs/RELEASE-NOTES.rst b/docs/RELEASE-NOTES.rst index 33a8d04a3..48a4e0033 100644 --- a/docs/RELEASE-NOTES.rst +++ b/docs/RELEASE-NOTES.rst @@ -1,23 +1,36 @@ Release Notes for Container Ingress Services for Kubernetes & OpenShift ======================================================================= -Next Release +2.11.1 ------------- Added Functionality ``````````````````` -* Base image upgraded to RedHat UBI-9 for CIS Container images. +* Next generation routes preview. Refer `Documentation `_ for more details. + * Support for default routeGroup (Migration Only) +* Base image upgraded to RedHat UBI-9 for CIS Container image. * Support for AS3 3.41.0 Bug Fixes ```````````` -* Fix to remove unused ingress health monitors * Add pattern definition in CR schema to align with F5 BIGIP Object Naming convention * :issues:`2153` Update go.mod to v2 +* :issues:`2657` WAF policy name does not allow hyphen (-) Documentation `````````````` -* Add UserGuides +* User guides `See here `_ +* :issues:`2606` Applying setup files from clouddocs fails + +CIS Helm Chart Fixes +`````````````````````` +* CRD Schema Update +* RBAC Update + +FIC Helm Chart Fixes +`````````````````````` +* Add support for infoblox credentials using k8s secrets in helm charts + 2.11.0 ------------- diff --git a/docs/config_examples/next-gen-routes/README.md b/docs/config_examples/next-gen-routes/README.md index f2d17db66..16e1a983f 100644 --- a/docs/config_examples/next-gen-routes/README.md +++ b/docs/config_examples/next-gen-routes/README.md @@ -610,6 +610,10 @@ Yes you can continue the SSL Profiles in route annotations. Yes you can define the Kubernetes secret in route's SSL annotations. ### Can we configure health monitors using route annotations? Yes you can continue using the health monitors in route annotations. +### Can we configure waf using route annotations? +Yes you can continue using the waf in route annotations. +### Can we configure allowSourceRange using route annotations? +Yes you can continue using the allowSourceRange in route annotations. ### Any changes in RBAC? No. ### How do I use policy CR with routes? diff --git a/docs/config_examples/next-gen-routes/migration-guide.md b/docs/config_examples/next-gen-routes/migration-guide.md index ba370cccf..d055795aa 100644 --- a/docs/config_examples/next-gen-routes/migration-guide.md +++ b/docs/config_examples/next-gen-routes/migration-guide.md @@ -15,15 +15,73 @@ NextGenRoute Controller uses extendedConfigMap for extending the native resources (routes). All the routes are group by namespaces or namespace-labels into RouteGroups. Each RouteGroup shares the same vsAddress, vsName and policy CR which is specified in extendedConfigMap. In order to migrate to nextGen we first need to create an extended ConfigMap and policy CR then modify the CIS deployment accordingly. Refer `NextGen Route Documentation `_ for more details -## Prerequisites -Stop the running CIS. - -## Deprecated Annotations +## Migration using defaultRouteGroup +Currently, RouteGroup are expected to define per namespace or namespace label as follows: +``` +extendedRouteSpec: +- namespace: foo + vserverAddr: 10.8.0.4 + vserverName: nextgenroutes + allowOverride: true +- namespace: bar + vserverAddr: 10.8.0.5 + allowOverride: false +``` +``` +extendedRouteSpec: +- namespaceLabel: environment=dev + vserverAddr: 10.8.3.11 + vserverName: nextgenroutes + bigIpPartition: dev + policyCR: default/sample-policy +- namespaceLabel: environment=test + vserverAddr: 10.8.3.12 + policyCR: default/sample-policy +``` + +In legacy routes, all http/https routes grouped into a single virtual server on BIGIP. Following CIS deployment args are used for the legacy virtual server creation: + +``` +route-http-vserver - vserverName for http server + +route-https-vserver - vserverName for https server + +route-vserver-addr - vserver address +``` + + +In nextgen controller, we can provide the same servername and address in baseRouteSpec using defaultRouteGroup as follows: +``` +data: + extendedSpec: | + baseRouteSpec: + tlsCipher: + tlsVersion: 1.2 + ciphers: DEFAULT + cipherGroup: /Common/f5-default + defaultTLS: + clientSSL: /Common/clientssl + serverSSL: /Common/serverssl + reference: bigip + defaultRouteGroup: + vserverAddr: 10.8.0.10 + vserverName: ose_server + policyCR: "" +``` + +#### defaultRouteGroup Config Parameters +| Parameter | Required | Description | +|-------------|----------|---------------------------------------------------------------| +| vserverAddr | Mandatory | Bind address for virtual server for OpenShift Route objects.| +| vserverName | Mandatory | The name of the http virtual server for OpenShift Routes.| +| policyCR | Optional | Name of Policy CR to attach profiles/policies defined in it. | -* "virtual-server.f5.com/allow-source-range" or "virtual-server.f5.com/whitelist-source-range" annotation is deprecate, you can define the allow-source-range in Policy CR. See Step-3 below. -* "virtual-server.f5.com/waf" - This annotation is deprecate, you can define the waf in Policy CR. See Step-3 below. +**Note**: + 1. defaultRouteGroup and extendedRouteSpec are mutually exclusive.Error out on extendedConfigMap processing with invalid configuration error. + 2. https virtual server name will be automatically created using vserverName i.e. _. -**Note**: You can still keep the annotations in your routes. CIS will simply ignore to process these annotations. +## Prerequisites +Stop the running CIS. ## Example Migration to nextGen Routes @@ -33,30 +91,30 @@ Consider CIS configured to manage Routes with following configuration. CIS Deployment Arguments: - ``` - args: [ - "--bigip-username=admin", - "--bigip-password=admin", - "--bigip-url=10.10.10.20", - "--bigip-partition=openshift", - "--pool-member-type=cluster", - "--openshift-sdn-name=/Common/openshift_vxlan", - "--manage-routes=true", - "--namespace=f5demo", - "--namespace=f5demo2", - "--route-vserver-addr=10.192.75.107", - "--log-level=DEBUG", - "--log-as3-response=true", - "--route-http-vserver=test_unsecure_vs", - "--route-https-vserver=test_secure_vs", - "--default-client-ssl=/Common/clientssl", - "--default-server-ssl=/Common/serverssl", - "--tls-version=1.3", - "--cipher-group=/Common/f5-default", - "--insecure=true", - "--route-label=f5type=systest", - ] - ``` +``` + args: [ + "--bigip-username=admin", + "--bigip-password=admin", + "--bigip-url=10.10.10.20", + "--bigip-partition=openshift", + "--pool-member-type=cluster", + "--openshift-sdn-name=/Common/openshift_vxlan", + "--manage-routes=true", + "--namespace=f5demo", + "--namespace=f5demo2", + "--route-vserver-addr=10.192.75.107", + "--log-level=DEBUG", + "--log-as3-response=true", + "--route-http-vserver=test_unsecure_vs", + "--route-https-vserver=test_secure_vs", + "--default-client-ssl=/Common/clientssl", + "--default-server-ssl=/Common/serverssl", + "--tls-version=1.3", + "--cipher-group=/Common/f5-default", + "--insecure=true", + "--route-label=f5type=systest", + ] +``` Sample Route: @@ -103,120 +161,103 @@ Sample Route: kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml ``` -#### Step-2 Grouping the routes using Namespace labels -* If CIS is watching all the namespaces or specific namespaces, customer/user needs to introduce the namespace-label parameter in CIS deployment and tag all the monitored namespaces with namespace-label. See Step-5. -* If CIS is watching namespaces using namespaceLabel, then no additional changes required in CIS deployment. +#### Step-2 Creating Extended ConfigMap using defaultRouteGroup -You can use following command to add the label to a namespace - - ``` - oc label namespaces f5demo cis=true - oc label namespaces f5demo2 cis=true - ``` - -#### Step-3 Creating Extended ConfigMap - -Extended ConfigMap is a must to use the nextGen Route Controller. Refer `Documentation `_ for more details +Extended ConfigMap is a must-use with the nextGen Route Controller. Refer `Documentation `_ for more details You can create an extended ConfigMap for given example as follows: * You can define the vserverAddr same as "route-vserver-addr" parameter in CIS deployment. -* Use the namespace label created in step-2 to group the routes - ``` - apiVersion: v1 - kind: ConfigMap - metadata: - name: global-spec-config - namespace: f5demo2 - data: - extendedSpec: | - baseRouteSpec: - tlsCipher: - tlsVersion: 1.3 - cipherGroup: /Common/f5-default - defaultTLS: - clientSSL: /Common/clientssl - serverSSL: /Common/serverssl - reference: bigip - extendedRouteSpec: - - namespaceLabel: cis=true - vserverAddr: 10.192.75.107 - vserverName: test_vs - policyCR: f5demo2/sample-policy - ``` +``` +apiVersion: v1 +kind: ConfigMap +metadata: + name: global-spec-config + namespace: f5demo2 +data: + extendedSpec: | + baseRouteSpec: + tlsCipher: + tlsVersion: 1.3 + cipherGroup: /Common/f5-default + defaultTLS: + clientSSL: /Common/clientssl + serverSSL: /Common/serverssl + reference: bigip + defaultRouteGroup: + vserverAddr: 10.192.75.107 + vserverName: ose_server + policyCR: +``` **Note**: Make sure the namespace where we created the ConfigMap monitored by CIS. -#### Step-4: Prepare the Policy CR -You can create the Policy CR as follows for WAF and AllowSourceRange annotations: - - ``` - apiVersion: cis.f5.com/v1 - kind: Policy - metadata: - labels: - f5cr: "true" - name: sample-policy - namespace: f5demo2 - spec: - l7Policies: - waf: /Common/WAF_Policy - l3Policies: - allowSourceRange: - - 1.2.3.4/32 - - 2.2.2.0/24 - ``` - -**Note**: +#### Step-3: Prepare the Policy CR (Optional) +It's an optional step you can continue using WAF and AllowSourceRange annotations in routes. You can create the Policy CR as follows for WAF and AllowSourceRange annotations: + +``` +apiVersion: cis.f5.com/v1 +kind: Policy +metadata: + labels: + f5cr: "true" + name: sample-policy + namespace: f5demo2 +spec: + l7Policies: + waf: /Common/WAF_Policy + l3Policies: + allowSourceRange: + - 1.2.3.4/32 + - 2.2.2.0/24 +``` + +**Note**: + * If WAF/AllowSourceRange is defined in both route annotation & policy CR, route annotation takes the priority by default. * You can use the Policy CR to extend the virtual server capabilities even more. [See Details](https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/Policy). * Make sure the namespace where we created the policy CR monitored by CIS. -#### Step-5 Update the CIS deployment parameters and start +#### Step-4 Update the CIS deployment parameters and start * Configure --controller-mode: openshift to use NextGen Route controller in CIS. - ``` - - --controller-mode - - openshift - ``` +``` + - --controller-mode + - openshift +``` * Configure extended ConfigMap and specify that in the CIS deployment parameter. - ``` - - --route-spec-configmap - - f5demo2/global-spec-config - ``` - -* If CIS is watching all the namespaces or specific namespaces, customer needs to introduce the namespace-label parameter in CIS deployment and tag all the monitored namespaces with namespace-label. See Step-2 above. - - ``` - - --namespace-label=cis=true - ``` +``` + - --route-spec-configmap + - f5demo2/global-spec-config +``` * Remove "route-vserver-addr" parameter from CIS deployment and define as vserverAddr in extendedConfigMap. -* Remove "route-http-vserver" & "route-https-vserver" parameters from CIS deployment and define vserverName in extendedConfigMap. CIS will add suffix "_443" for secure virtual server. See Step-2 below. +* Remove "route-http-vserver" & "route-https-vserver" parameters from CIS deployment and define vserverName in extendedConfigMap. CIS will add suffix "_443" for secure virtual server. See Step-2 above. -* Remove "default-client-ssl" & "default-server-ssl" parameters from CIS deployment and define them under "baseRouteSpec" in extendedConfigMap. See Step-2 below. +* Remove "default-client-ssl" & "default-server-ssl" parameters from CIS deployment and define them under "baseRouteSpec" in extendedConfigMap. See Step-2 above. -* Remove "tls-version", "cipher-group" & "ciphers" parameters from CIS deployment and define them under "baseRouteSpec" in extendedConfigMap. See Step-2 below. +* Remove "tls-version", "cipher-group" & "ciphers" parameters from CIS deployment and define them under "baseRouteSpec" in extendedConfigMap. See Step-2 above. * Remove "override-as3-declaration" parameter as it's no more supported with NextGen Routes. You can use the Policy CR to extend the virtual server capabilities. [See Example](https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/Policy). - ``` - args: [ - "--bigip-username=admin", - "--bigip-password=admin", - "--bigip-url=10.10.10.20", - "--bigip-partition=openshift", - "--pool-member-type=cluster", - "--openshift-sdn-name=/Common/openshift_vxlan", - "--controller-mode=openshift", - "--namespace-label=cis=true", - "--log-level=DEBUG", - "--log-as3-response=true", - "--route-spec-configmap=f5demo2/global-spec-config", - "--insecure=true", - "--route-label=f5type=systest", - ] - ``` +``` + args: [ + "--bigip-username=admin", + "--bigip-password=admin", + "--bigip-url=10.10.10.20", + "--bigip-partition=openshift", + "--pool-member-type=cluster", + "--openshift-sdn-name=/Common/openshift_vxlan", + "--controller-mode=openshift", + "--namespace=f5demo", + "--namespace=f5demo2", + "--log-level=DEBUG", + "--log-as3-response=true", + "--route-spec-configmap=f5demo2/global-spec-config", + "--insecure=true", + "--route-label=f5type=systest", + ] +``` diff --git a/docs/upgradeProcess.md b/docs/upgradeProcess.md index 1648d1f0d..c7008972d 100644 --- a/docs/upgradeProcess.md +++ b/docs/upgradeProcess.md @@ -35,7 +35,7 @@ Compatibility Matrix | v2.10.0 | v16.0 | v1.24 | v4.11.1 | Yes | Yes | v3.38 | v0.1.8 | v0.0.2 | v0.0.22 |Red Hat Enterprise Linux release 8.6 (Ootpa)| | v2.10.1 | v16.0 | v1.24 | v4.11.1 | Yes | Yes | v3.38 | v0.1.8 | v0.0.2 | v0.0.22 |Red Hat Enterprise Linux release 8.6 (Ootpa)| | v2.11.0 | v16.0 | v1.24 | v4.11.1 | Yes | Yes | v3.38 | v0.1.8 | v0.0.3 | v0.0.22 |Red Hat Enterprise Linux release 8.7 (Ootpa)| -| v2.11.1 | v16.0 | v1.24 | v4.11.1 | Yes | Yes | v3.38 | v0.1.8 | v0.0.3 | v0.0.23 |Red Hat Enterprise Linux release 9.1 (Plow)| +| v2.11.1 | v16.0 | v1.24 | v4.11.1 | Yes | Yes | v3.41 | v0.1.8 | v0.0.4 | v0.0.23 |Red Hat Enterprise Linux release 9.1 (Plow)| CIS Features and Examples @@ -254,6 +254,6 @@ Refer Release Notes for [CIS v2.11.0](https://github.com/F5Networks/k8s-bigip-ct Refer Release Notes for [CIS v2.11.1](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/RELEASE-NOTES.rst) **_Configuration Change:_** -* Add pattern definition in CR schema to align with F5 BIGIP Object Naming convention -* RBAC Changes to read the openshift network config -* Moving to CIS > 2.11.1 requires update to RBAC and CR schema definition before upgrade. See [RBAC](https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/rbac/clusterrole.yaml) and [CR schema](https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml) \ No newline at end of file +* Add pattern definition in CR schema to align with F5 BIGIP object naming convention. +* RBAC changes to read the openshift network config +* Moving to CIS > 2.11.1 requires an update to RBAC and CR schema definition. See [RBAC](https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/rbac/clusterrole.yaml) and [CR schema](https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml) \ No newline at end of file